Multiline pattern setting for multiple loglines in XML file

Elastic Stack Beats
1

Hi,

Below is my xml file.

Now my question is, I was able get every line in the above xml in a each message, but i'm unable to get all the log lines in a single message.

Anyone can assist ?

Thanks

<?xml-stylesheet alternate="yes" href="./event_log.xsl" type="text/xsl"?>
<?xml-stylesheet alternate="yes" href="file://c:/drive/bin/event_log.xsl" type="text/xsl"?>
<EventLog SetMinutes="800" Id="8000" Process="Player.exe">
<Clock ClockId="CLk-21e21412414=4-1341341414141"/>
<Entry serial_no="0" mcycle="2132424124-4141" Thread="player" ThreadId="tester" Seconds="11231243241.354123" Severity="info" >Local player details  - Receievd metrics
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 400 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 30 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached 130 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 3300 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1300 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 400 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 30 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached 130 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 3300 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1300 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached to 733 level and need to get an xp
</Entry>
</Eventlog>

This is how my multiline in filebeat.yml looks like

multiline.pattern: '^<Entry|^=[a-z]'
      multiline.negate : false
      multiline.match: after

My logstash.conf

input{
   beats {
       port => 5044
 }

}
filter{
    xml{
        source => message
        store_xml => true
        target => "doc"
        xpath => ["/Eventlog[@name='ThreadId']@value",  "ThreadId",
                          "/Eventlog[@name='Thread']@value",  "Thread",
                          "/Eventlog[@name='Secs']@value",  "Seconds",
                          "/Eventlog/Entry/text()", "details"
                          ]
}

Now my question is, I was able get every line in the above xml in a each message, but i'm unable to get all the log lines in a single message.

Anyone can assist ?

Thanks

2 
```multiline.pattern: '^<Entry|^=[a-z]'
    multiline.negate : false
    multiline.match: after```


My logstash.conf
input{
 beats {
     port => 5044
}

}
filter{
  xml{
      source => message
      store_xml => true
      target => "doc"
      xpath => ["/Eventlog[@name='ThreadId']@value",  "ThreadId",
                        "/Eventlog[@name='Thread']@value",  "Thread",
                        "/Eventlog[@name='Secs']@value",  "Seconds",
                        "/Eventlog/Entry/text()", "details"
                        ]
}


  Now my question is, I was able get every line in the above xml in a each message, but i'm unable to get all the log lines in a single message.

Anyone can assist ?

Thanks

Reply

This topic will close a month after the last reply.

Bookmark Share Flag Reply

Watching

You will receive notifications because you created this topic.

Suggested Topics

Topic Replies Views Activity
Unable to start elasticsearch after creating cert for http communication 3

Elasticsearch

stack-security|15|159|Apr 5|
|How to remove agent.* and ecs.version?

Filebeat|3|19|1h|
|Help needed for setup.template.append_fields usage

Filebeat|0|7|5h|
|Multiline JSON not importing to fields in ElasticSearch - do I need Logstash?

Filebeat|0|11|5h|
|【filebeat output.file】when the output filebeat has been deleted,it wont be created agian automatically

Filebeat|0|8|7h|

There are 2 unread and 211 new topics remaining, or browse other topics in Filebeat

© 2018. All Rights Reserved - Elasticsearch

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.