Parsing an xml file

Elastic Stack Logstash
1

Hello,
I am having a sample xml log file like below:

<note date="2017-03-01"> <to>XX</to> <from>YY</from> </note>

I want to parse the above code and want to display the data in an output file like this:

<note> <date> <year>2017</year> <month>03</month> <day>01</day> <date> <to fullName="XX">Destination</to> <from fullName="YY">Source</from> </note>

I am new to ELK framework . I have tried to create logstash config using xpath filters but no luck if anyone help me with sample code means it would be a great help.

Thanks.

2

If you show what you have come up with so far (even if it doesn't work) it'll be easier to help out.

3

input {
file {
path => "/tmp/test/test.xml"
start_position => "beginning"
sincedb_path => "NUL"
codec => multiline {
pattern => " <note>|</note>"
negate => true
what => "previous"
auto_flush_interval => 1
}
}
}

filter {
if [message] == "<note>" or [message] == "</note>" {

#here I want to copy at their places
target => "message.parsed"

}

xml {
source => "message"
target => "message.parsed"
xpath => [ "/event/message/text()", eventmessage ]
force_array => false
}
}

output {
file {
path => "/tmp/test/result.xml" }
}

it's all that I could do.. I can't find a way to do that transformation.

4 
if [message] == "<note>" or [message] == "</note>" {

This condition will never be true because message will never contain only an opening or a closing tag.

xpath => [ "/event/message/text()", eventmessage ]

You're mixing up the Logstash event with the XML snippet. You're probably looking for something like this:

xpath => [
  "/note/from/text()", "from,
  "/note/to/text()", "to,
  "/note/@date", "date"
]

Note that Logstash doesn't have an XML output plugin, so while it's possible to produce the XML snippet you want I don't recommend it. Why not just use an XSLT template for this XML transform?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.