Logstash - Parse XML attributes

Ju_La · August 18, 2018, 11:28pm

I am trying to parse and send field names to ElasticSearch and am running into issue with getting the correct fields lined up.

Here is some sample XML

<products>
<product name="name_1"></product>
<product name="name_2"></product>
<product name="name_3"></product>
</products>

My logstash config file:

input {
    file {
        path => "sample.xml"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        exclude => "*.gz"
        type => "xml"
        codec => multiline {
            pattern => "<products>"
            negate => "true"
            what => "previous"
        }
    }
}

filter {
    xml {
        source => "message"
        store_xml => false
        target => "products"
        add_field => {
            "p_name" => "%{[products][product][name]}"
        }
        xpath => [
            "/products/*/@name", "product_name"
        ]
    }
}

Currently, in ElasticSearch: there is a single p_name set to %{[merchandiser][product][name]} and product_name is name_1, name_2, name_3

Instead, I would like to have 3 different records, each having their own unique product_name

What is correct xml filter?

Badger · August 19, 2018, 1:24am

If you have a field that is an array and you want to split it into one event per entry then use a split filter.

Ju_La · August 19, 2018, 12:27pm

Do you have an example (based on the provided xml) that you can share?

Ju_La · August 19, 2018, 9:45pm

@magnusbaeck - Are you able to help out here? I see you have answered similar queries and was hoping to grab your attention.

system · September 16, 2018, 9:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.