Logstash parsing string+xml


#1

Hello,

I need to get the transaction id from the input message. During execution, the config script runs without error, however, it is not able to parse the transaction id from the xml. Any help?

Log Input:

2017-09-05 08:12:52,508 DEBUG com.demo.GetInsuredImpl.lookup [default-threads - 35] - The request to InsuredService is <?xml version="1.0" encoding="UTF-8"??>test170905081252

Logstash filter:

# Check if GROK parse failure and try another format
grok {
  remove_tag => [ "_grokparsefailure" ]
  match => { "message" => "%{TIMESTAMP_ISO8601:logTimeStamp} %{LOGLEVEL:level} (com.demo.(?:[a-zA-Z0-9-]+\.)+[A-Za-z0-9$]+)( \[default-threads - %{DATA:thread}\])?( \[%{WORD}\/%{IP:sic-server-ip}:%{POSINT}(-${INT:temp_int})?\])? (- )?(%{GREEDYDATA:entryMessage})?" }
}

# Parse the XML string from the log entry message
grok {
  remove_tag => [ "_grokparsefailure" ]
  match => { "entryMessage" => "(%{GREEDYDATA:temp_pref})?(\<\?xml version=\"1.0\")( encoding=\"UTF-8\")?(\?\>)%{GREEDYDATA:xmlinput}" }
}

if [xmlinput] {
   xml {
     source => [ "xmlinput" ]
     store_xml => [ "false" ]
     xpath => ["/GroupPolicy/Control/TransactionId/text()", "transactionId"]
   }
   mutate {
     remove_field => [ "xmlinput" ]
   }
}

(Magnus B├Ąck) #2

If you format the log example as preformatted text (like you did with the configuration) it'll be easier to help.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.