Logstash xml parsing problems

povisx1 · April 16, 2018, 7:37am

Hello,

I have the problem with xml parsing, my parsed result looks like :

{"newMSISDN":"%{parsedMSISDN}","offset":52307874,"host":"miram.int.bite.lt","prospector":{"type":"log"},"@version":"1","@timestamp":"2018-04-16T06:03:11.780Z","beat":{"hostname":"miram.int.bite.lt","name":"miram.int.bite.lt","version":"6.2.3"},"source":"/ocs/mobicents/server/bite/log/ocs.log","message":"2018-04-16 08:01:18,089 INFO [net.bitegroup.ocs.lt.sbb.OcsSbb] Request CCR: <?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><ccr><msisdn>37068783222</msisdn><ocsIp>10.241.53.45</ocsIp><apn>internplt</apn><sessionId>c0-10-225-64-26-epg02;1516844161;24238957</sessionId><ccrMscc><inputOctetsUsed>0</inputOctetsUsed><outputOctetsUsed>0</outputOctetsUsed><totalOctetsUsed>0</totalOctetsUsed><timeUsed>5013</timeUsed><inputOctetsUsedAfterTct>0</inputOctetsUsedAfterTct><outputOctetsUsedAfterTct>0</outputOctetsUsedAfterTct><totalOctetsUsedAfterTct>0</totalOctetsUsedAfterTct><timeUsedAfterTct>0</timeUsedAfterTct><ratingGroup>2085</ratingGroup><inputOctetsRequested>0</inputOctetsRequested><outputOctetsRequested>0</outputOctetsRequested><totalOctetsRequested>0</totalOctetsRequested><timeRequested>0</timeRequested><reportingReason>0</reportingReason><tariffChangeUsed>false</tariffChangeUsed></ccrMscc><sgsnIp>213.226.158.160</sgsnIp><ggsnIp>213.226.158.154</ggsnIp><imsi>246021005289080</imsi><imei>5359126095156720</imei><userLocationInfo>0142f62029053054</userLocationInfo><sgsnMccMnc>24602</sgsnMccMnc><chargingId>4116118880</chargingId><ip>10.20.170.183</ip><qos></qos><chargingCharacteristic>0400</chargingCharacteristic><chargingRuleName></chargingRuleName><requestType>UPDATE_REQUEST</requestType><requestNumber>453</requestNumber><creditControlFailureHandlingType>0</creditControlFailureHandlingType><ccSessionFailover>0</ccSessionFailover></ccr>","tags":["beats_input_codec_plain_applied"]}

My code:

input {
  beats {
    port => 5043
  }
}

filter {
 
    xml {
      source => "message"
      remove_namespaces => "true"
      xpath => ["//ccrB/msisdn/text()", "parsedMSISDN",
                "//ccrB/ocsIp/text()", "ocsIP"
               ]
      store_xml => "false"
    }
    mutate {
      add_field =>{"newMSISDN" => "%{parsedMSISDN}"}
    }
}

output {

    file {
      path => "/home/work/logstash-out/ocs_test.out"
    }

    #stdout { codec => rubydebug }

}

i want to add field newMSISDN but I don't get xml value, as i understand problem is in this place

<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>, maybe xpath don't understand these symbols **\"**

Maybe someone can help me with this one , thanks

Christian_Dahlqvist · April 16, 2018, 7:46am

Your message field starts like this:

2018-04-16 08:01:18,089 INFO [net.bitegroup.ocs.lt.sbb.OcsSbb] Request CCR: <?xml version=\"1.0\"...

As this is not all valid XML, you can not directly apply the XML filter to it. You will need to use a grok or dissect filter to parse the components of the log so you get the XML content at the end in a separate field. Then you can use the XML filter on this field.

povisx1 · April 16, 2018, 8:22am

Thanks for the answer

Maybe you can say more which grok filter I should use, I try to use {GREEDYDATA:msgBody}
but this only take all message, how can I take only xml log block ? Main problem is that logstash add these symbols, maybe I can somehow take them off ? and then as I understand also should work .

Christian_Dahlqvist · April 16, 2018, 8:37am

Have a look at the dissect filter as it might be easier to get started with and should be sufficient here. This blog post contains a good introduction.

povisx1 · April 18, 2018, 1:35pm

Sorry, I don't have much time, so only now I checked your answer and I think this is not good. Is there really no other way to say for logstash to not add these symbols in this place ( \ ) :

<?xml version=**\**"1.0**\**" encoding=**\**"UTF-8**\**" standalone=**\**"yes**\**"?>

Because in my real log there not exist these symbols , for example in my real log this place looks like this and the xpath work then:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

So is there really no way to config logstash to not add these symbols ?

Christian_Dahlqvist · April 18, 2018, 2:27pm

Did you try it out? If so, what did not work?

povisx1 · April 20, 2018, 12:43pm

Hi!

I have try it and this I think for me is not correct because my log all the time is differend sometimes I don't even have xml in my log. So I now try to take value with grok regex
So now I only have this problem, maybe you would help me, I take value like this:

but my result looks like this :
How i can get result like this : 37068783222

Jenni · April 20, 2018, 1:04pm

If you only want the middle part extracted, you have to put the named group only around the middle part. (Posting a screenshot instead of text doesn't make helping you easier )

<msisdn>(?<msisdn>.*)<\/msisdn>

(I don't know what the additional :? and ? were supposed to do.)

povisx1 · May 16, 2018, 6:13am

Hi thanks all for your help I taked all xml with grok regex like this:
match => { "message" => "(?<(.*)</cc.>)"}

And then use xml plugin and take all values I need

system · June 13, 2018, 6:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to parse xml.log via logstash Logstash	4	278	October 7, 2020
Problems with parsing XML log files with XML filter of Logstash Logstash	8	1561	July 6, 2017
Logstash grok don't parse value Logstash	5	447	June 13, 2018
Need some help with Logstash and the XML filter plugin Logstash	11	469	March 26, 2021
Xml parse in logstash Logstash	10	310	March 12, 2024

Logstash xml parsing problems

Related Topics