Need help to parse XML log in logstash

Elastic Stack Logstash
1

I recently started learning ELK but having hard time in understanding on how to parse XML data. Below is the sample log data. Any help would be appreciated in helping to write logstash configuration.

<?xml version="1.0" encoding="UTF-8" ?>
<ExecutionLogModel>
<LogEvent level="INFO" time="2016-07-05T10:30:57Z" heapname="heap15" heaptype="Try/Catch" heaplabel="Eliminate the document with no user activity" heapextendedinfo="">
<Message>Executing Try/Catch heap with 1 document(s).</Message>
</LogEvent>
<LogEvent level="INFO" time="2016-07-04T10:30:57Z" heapname="heap8" heaptype="Message" heaplabel="" heapextendedinfo="">
<Message>heap executed successfully in 2 ms.</Message>
</LogEvent>
</ExecutionLogModel>
2

Have you looked into the xml filter? What do you want to extract from the XML document, i.e. what do you want Logstash to do?

3

I looked at XML filter but didn't understood it quit well. Currently, i am looking to parse the everything between the as one event.

Thanks

4

If that's what you want to do it should be enough to set the xml filter's source option to the name of the field where the XML document is stored (probably message).

However, this assumes that the whole XML document has found itself into a field of a single Logstash event. You might need to make additional changes for that to happen, but with the few details about your configuration that you've given us I can't be more specific than that.

5

when i tried the below XML filter configuration for the above logs , logstash stopped listening on to the port 5044.

if [fields][logtype] == "process_log" {
xml {

source => "message"
target => "parsed"

split {
  field => "[parsed][logEvent]"
}

}

6

You can't have the split filter inside the xml filter.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.