Hello,
I need to get the transaction id from the input message. During execution, the config script runs without error, however, it is not able to parse the transaction id from the xml. Any help?
Log Input:
2017-09-05 08:12:52,508 DEBUG com.demo.GetInsuredImpl.lookup [default-threads - 35] - The request to InsuredService is <?xml version="1.0" encoding="UTF-8"??>test170905081252
Logstash filter:
# Check if GROK parse failure and try another format
grok {
remove_tag => [ "_grokparsefailure" ]
match => { "message" => "%{TIMESTAMP_ISO8601:logTimeStamp} %{LOGLEVEL:level} (com.demo.(?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+)( \[default-threads - %{DATA:thread}\])?( \[%{WORD}\/%{IP:sic-server-ip}:%{POSINT}(-${INT:temp_int})?\])? (- )?(%{GREEDYDATA:entryMessage})?" }
}
# Parse the XML string from the log entry message
grok {
remove_tag => [ "_grokparsefailure" ]
match => { "entryMessage" => "(%{GREEDYDATA:temp_pref})?(\<\?xml version=\"1.0\")( encoding=\"UTF-8\")?(\?\>)%{GREEDYDATA:xmlinput}" }
}
if [xmlinput] {
xml {
source => [ "xmlinput" ]
store_xml => [ "false" ]
xpath => ["/GroupPolicy/Control/TransactionId/text()", "transactionId"]
}
mutate {
remove_field => [ "xmlinput" ]
}
}