Hi,
I'm monitoring a configuration xml file for changes using filebeat, and sending it over to logstash. I would like to take the key value pair into one event in elasticsearch. It seems to do fine parsing the XML line by line (creating an event for each line, with parsed name and parsed value), but I'd like to have one event with all key value pairs recognized per monitored config file.
Filebeat is sending only the lines I want over. They look like this (notice the white space in front):
<userConfig name="User" value="wookie"/>
<userConfig name="Lastlogon" value="15446454645"/>
I've played around with the multiline codec in logstash which will put one file = one event, however it fails to parse the xml.
XML filter I'm using (have tried targeting doc and parsed for target). This works as long as I don't use the multiline input codec:
filter {
xml {
source => "message"
#force_array => "true"
target => "parsed"
remove_namespaces => true
store_xml => true
force_array => true
}
}
Thanks for any help,