Multiline Filter Help to find specific field

Elastic Stack Logstash
1

I have an xml file that I need to ingest with Logstash, with specific fields. It has structure:
< Test>
< Type>
< Data>
..........
..........
< /Data>
< /Type>
< /Test>

I am trying to use multiline codec, in order to filter through the message and get the data I need with a specific pattern.
The data I only want to ingest is everything inside of < Data>......< /Data> and ignore the rest of the data.

I have following configuration, which seems to take for start each event, but ingests data until the next . I seem to get in each event < Data>< /Data> < /Test>< Test>< Type>
codec => multiline {
# pattern => ".< Data>."
pattern => "<(Data)|(Data)>"
negate => true
what => "previous"
}

How to take only everything in < Data>< /Data> into account?

2

I managed to resolve with:
codec => multiline {
pattern => ".<( Test|Type|Data)>."
negate => true
what => "previous"

and then in filter drop anything containing:
if [message] =~ "< Test>" {
drop {}}
Same for Data.

Is there a better way with multiline to deal with this?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.