Logstash XML

Imad_Bouchakour · July 26, 2019, 1:51pm

Hi

i'am trying to parse a xml file with logstash and i having some issues

this is my XML exemple :

<books>
 <book>
		<name>HarryPotter</name>
		<id>785</id>
		<numero>7</numero>
	</book>
<book>
		<name>game of thrones</name>
		<id>441</id>
		<numero>3</numero>
	</book>
</books>

my .conf

     input{
               ..................
               ......
                codec => multiline {
    	      pattern => '^<book' 	
    	      negate => true
    	      what => "previous"
    	    }   
    	}
    }

      xpath =>
                [
                "/book/id/text()", "id",
                "/book/name/integer", "name",
                "/book/numero/integer", "numero",
                ]
        }

the first issue is i'am getting some erreur
exception=>#<REXML::ParseException: Missing end tag for '' (got "books")

the second one is that i can't change the type i'am getting string value in elastic for all how to change that

tks

Badger · July 26, 2019, 2:01pm

You claim to be matching a pattern that never matches. That will not flush an event unless you enable auto_flush_interval. Since you are getting an event I infer that you are not using the configuration you claim to be using.

Once you get that part working you will need to update the xpath expressions

"/books/book/id/text()", "id",

for example.

Imad_Bouchakour · July 26, 2019, 2:04pm

i just fixed my post

codec => multiline {
    	      pattern => '^<book' 	
    	      negate => true
    	      what => "previous"
    	    }

So ?

Badger · July 26, 2019, 2:56pm

That will result in an event that has this message field

<books>\n <book>\n        <name>HarryPotter</name>\n        <id>785</id>\n        <numero>7</numero>\n    </book>

That is not valid XML. You could use mutate+gsub to fix it.

Since you did not enable auto_flush_interval the second book element will never get flushed.

Imad_Bouchakour · July 29, 2019, 8:53am

i did enable the auto_flush_interval and still the same problem this is what i'am getting in my log :

Error parsing xml with XmlSimple {:source=>"message", :value=>"\n\t\tHarryPotter\n\t\t785\n\t\t7\n\t\t\n", :exception=>#<REXML::ParseException: Missing end tag for '' (got "books")

i am using a http poller. how can i fix it with mutate+gsub and Remove line-breaks ?

Badger · July 29, 2019, 1:24pm

You do not need to remove the line breaks. If you want to the post I linked to shows how to do it. You can remove the books tag using

mutate { gsub => [ "message", "<books>", "" ] }

Imad_Bouchakour · July 30, 2019, 12:56pm

thanks i fix it.

Imad_Bouchakour · July 30, 2019, 3:16pm

Another question: i'am ussing logstash 7.2.0 in my test environment and it work bu in another one there is logstash 6.0.1 and that doesn't work it, is it normal ?

Badger · July 30, 2019, 3:41pm

I would expect the same configuration to work. What does not work?

Imad_Bouchakour · July 31, 2019, 1:52pm

log stash bloc completely, and i don't have any log and reset log config don't work. it not problem i'am sending the data to elasticsearch from another environment.

i have this :

status online 282673s

i want to split the "online 282673s" i tried split => { "status" => " " } but that doesn't work how to slip with space ??

Imad_Bouchakour · August 1, 2019, 1:40pm

this is what i did and that doesn't work

   gsub => ["status", " ", ":"]
    split => { "status" => ":" }
    add_field => {
             "firstPart" => "%{[status][0]}"
             "secondPart" => "%{[status][1]}"
              }

this is what i'am getting

secondPart: %{[status][1]}
firstPart: online:5039s

Badger · August 1, 2019, 2:01pm

I cannot explain why that would not work. With this configuration

filter {
    mutate { add_field => { "status" => "online 282673s" } }
    mutate {
        split => { "status" => " " }
        add_field => {
            "firstPart" => "%{[status][0]}"
            "secondPart" => "%{[status][1]}"
        }
    }
}

or this configuration

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_field => { "status" => "online 282673s" } }
    mutate {
        gsub => ["status", " ", ":"]
        split => { "status" => ":" }
        add_field => {
            "firstPart" => "%{[status][0]}"
            "secondPart" => "%{[status][1]}"
        }
    }
}

I get

 "firstPart" => "online",
"secondPart" => "282673s",
    "status" => [
    [0] "online",
    [1] "282673s"
],

Imad_Bouchakour · August 1, 2019, 2:51pm

That didn't work with my field, don't now why. so this is what i did and it work

mutate { add_field => { "statusbis" => "%{[status]}" } } 
   mutate {
        split => { "statusbis" => " " }
        add_field => {
            "firstPart" => "%{[statusbis][0]}"
            "secondPart" => "%{[statusbis][1]}"
        }
    }

And it works tanks for your help

Badger · August 1, 2019, 3:44pm

All of that would be consistent with the original status field being an array with a single member.

    "status" => [
    [0] "online:282673s"
],

That would explain why the original mutates did nothing and why it started working when you copied status to another field (which is not an array).

system · August 29, 2019, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with parsing multiline XML file Logstash	4	2894	July 6, 2017
How to properly read and ingest XML file into Elastic Logstash	13	6721	June 28, 2019
Logstash XML parsing problem Logstash	3	1354	January 18, 2018
Xml can't be parsed! Logstash	5	304	September 19, 2019
Trouble parsing xml file Logstash	3	480	November 21, 2018

Logstash XML

Related topics