Logstash parsing string+xml

ElkPdxUser · September 8, 2017, 10:23pm

Hello,

I need to get the transaction id from the input message. During execution, the config script runs without error, however, it is not able to parse the transaction id from the xml. Any help?

Log Input:

2017-09-05 08:12:52,508 DEBUG com.demo.GetInsuredImpl.lookup [default-threads - 35] - The request to InsuredService is <?xml version="1.0" encoding="UTF-8"??>test170905081252

Logstash filter:

# Check if GROK parse failure and try another format
grok {
  remove_tag => [ "_grokparsefailure" ]
  match => { "message" => "%{TIMESTAMP_ISO8601:logTimeStamp} %{LOGLEVEL:level} (com.demo.(?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+)( \[default-threads - %{DATA:thread}\])?( \[%{WORD}\/%{IP:sic-server-ip}:%{POSINT}(-${INT:temp_int})?\])? (- )?(%{GREEDYDATA:entryMessage})?" }
}

# Parse the XML string from the log entry message
grok {
  remove_tag => [ "_grokparsefailure" ]
  match => { "entryMessage" => "(%{GREEDYDATA:temp_pref})?(\<\?xml version=\"1.0\")( encoding=\"UTF-8\")?(\?\>)%{GREEDYDATA:xmlinput}" }
}

if [xmlinput] {
   xml {
     source => [ "xmlinput" ]
     store_xml => [ "false" ]
     xpath => ["/GroupPolicy/Control/TransactionId/text()", "transactionId"]
   }
   mutate {
     remove_field => [ "xmlinput" ]
   }
}

magnusbaeck · September 11, 2017, 8:59pm

If you format the log example as preformatted text (like you did with the configuration) it'll be easier to help.

system · October 9, 2017, 9:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.