Multiline Filter Help to find specific field

moriol · January 18, 2018, 3:27pm

I have an xml file that I need to ingest with Logstash, with specific fields. It has structure:
< Test>
< Type>
< Data>
..........
..........
< /Data>
< /Type>
< /Test>

I am trying to use multiline codec, in order to filter through the message and get the data I need with a specific pattern.
The data I only want to ingest is everything inside of < Data>......< /Data> and ignore the rest of the data.

I have following configuration, which seems to take for start each event, but ingests data until the next . I seem to get in each event < Data>< /Data> < /Test>< Test>< Type>
codec => multiline {
# pattern => ".< Data>."
pattern => "<(Data)|(Data)>"
negate => true
what => "previous"
}

How to take only everything in < Data>< /Data> into account?

moriol · January 18, 2018, 3:48pm

I managed to resolve with:
codec => multiline {
pattern => ".<( Test|Type|Data)>."
negate => true
what => "previous"

and then in filter drop anything containing:
if [message] =~ "< Test>" {
drop {}}
Same for Data.

Is there a better way with multiline to deal with this?

system · February 15, 2018, 3:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html Logstash	4	400	January 18, 2017
Logstash XML Parsing Using multiline Logstash	1	1105	July 6, 2017
Can i use file filter for xml docs Logstash	12	2875	July 6, 2017
"Couldn't find any filter plugin named 'multiline'. Are you sure this is correct Logstash	3	1546	July 19, 2017
Parsing multiline logs : line + xml Logstash	10	6630	July 6, 2017

Multiline Filter Help to find specific field

Related Topics