Parse repeated tags in xml using split filter

Arshdeep_Sandhu · August 7, 2019, 11:50am

I am trying to parse repeated tags in xml using split filter to get result as below example:
If my logstash is:

<?xml version="1.0" encoding="UTF-8"?>
<ROOT ID="01">
  <EVENTLIST>
    <EVENT name="abc"/>
	<EVENT name="def"/>
	</EVENTLIST>
</ROOT>

Then output should be:
[
ID => 01
name => abc
]
[
ID => 01
name => def
]

My logstash is:

filter {
if [fields][log_type] == "XMLs" {
		xml {
		source => "message"
		target => "xml_content"
		 split {
		field => "xml-content[Header][Record][Assortment]"
		}
		split {
		field => "xml-content[Header][Record][Assortment][ID]"
		}
		split {
		field => "xml-content[Header][Record][Assortment][ReceivingStore]"
		}
		split {
		field => "xml-content[Header][Record][Assortment][ReceivingStore][StoreInternalID]"
		}
mutate 
		{ 
		add_field => { "Status" => "%{xml-content[Header][Record][Assortment][actionCode]}%{xml-content[Header][Record][Assortment][ReceivingStore][actionCode]}" }
		add_field => { "Key" => "%{xml-content[Header][Record][Assortment][ID]}" }
		add_field => { "Id" => "%{xml-content[Header][Record][Assortment][ReceivingStore][StoreInternalID]}" }
output {
    stdout {
    codec => rubydebug
  }
}

Its showing the error:

what changes are required in split filter or any where else to get desirable output and what should be included in filebeat for this scenario.

I am a novice in ELK so requesting to make your reply as simple as possible.

Badger · August 7, 2019, 11:59am

All those references need square brackets around xml-content...

"[xml-content][Header][Record][Assortment]"

Arshdeep_Sandhu · August 8, 2019, 7:08am

"[xml-content][Header][Record][Assortment]"

I put the square brackets but instead of reading the value of Key and Id from xml its giving output like:

Key =>  xml-content[Header][Record][Assortment][ID]
Id => xml-content[Header][Record][Assortment][ReceivingStore][StoreInternalID]

Badger · August 8, 2019, 1:06pm

All of the references to xml-content require square brackets. That is true for both the split filters and the mutate

add_field => { "Key" => "%{[xml-content][Header][Record][Assortment][ID]}" }

Arshdeep_Sandhu · August 9, 2019, 9:07am

I have added square bracket in both split filter and mutate.
Still showing error:

and _split_type_failure.

Badger · August 9, 2019, 12:35pm

The error message shows you have not running a configuration to which the square brackets have been added.

Arshdeep_Sandhu · August 20, 2019, 3:51am

The error message shows you have not running a configuration to which the square brackets have been added.

Which configuration seem to be missing for resulting in '_split_type_failure'.

system · September 17, 2019, 3:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.