Logstash xml split filter

Naveen_Reddy_Sama · July 23, 2018, 11:22am

Hi team,

using the below logstash confg file xml filter

filter {
xml {
source => "message"
target => "xml_content"
}
split {
field => "xml_content[station]"
}
split {
field => "xml_content[station][name]"
}
mutate {
add_field => { "lastupdate" => "%{xml_content[lastupdate]}" }
add_field => { "name" => "%{xml_content[station][name][name]}" }
remove_field => ['xml_content', 'message', 'path']
}
}

getting invalid results check in kibana results

tags:multiline, _xmlparsefailure, _split_type_failure @timestamp:July 23rd 2018, 16:42:16.662 name:%{xml_content[station][name][name]} @version:1 lastupdate:%{xml_content[lastupdate]} _id:GmfXxmQBPb0XzgMOBBMj _type:doc _index:xmltest _score: -

can anyone help me on this thanks in advance

dadoonet · July 23, 2018, 11:38am

Thread moved to #logstash

Naveen_Reddy_Sama · July 23, 2018, 11:47am

Hi Dadoonet
can you please explain me in detail.

Badger · July 23, 2018, 12:10pm

It is failing to parse the message as xml. What does the message look like? Comment out the remove_field until you are sure things are working correctly.

Naveen_Reddy_Sama · July 23, 2018, 12:18pm

Hi Badger,
if i uncommented remove_field it is passing all the xml file as in message, i need to display/split only those filtered values in kibana

Thanks!

Badger · July 23, 2018, 12:42pm

Once again, what does the message look like? Either paste from the JSON tab in Kibana/Discover or add stdout { codec => rubydebug } }

system · August 20, 2018, 12:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.