Hi,
I'm trying to index an XML file and am not able to index the entire log.
Please find the sample log below.
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
<Event>
<System>
<TimeCreated SystemTime="2017-10-22T14:49:38.0Z"/>
<Computer>IM454E3</Computer>
<EventID>4776</EventID>
</System>
<Tool>
<EventSummary>Machine has been dissolved</EventSummary>
<Level>4</Level>
<Type>Medium</Type>
</Tool>
<EventData>
<Status>640000X</Status>
<(TestInfo)>Machine returned</(TestInfo)>
</EventData>
</Event>
</Events>
Please find my config file below.
input {
file {
path => "C:\Users\Sanjay\Documents\logstash-5.6.3\bin\events.xml"
start_position => "beginning"
}
}
filter {
if [message] =~ "^<\?xml" {
drop {}
}
if [message] =~ "^<Events>" {
drop {}
}
xml {
remove_namespaces => true
# store_xml => false
source => "message"
target => "event"
xpath =>
[
"/Event/System/TimeCreated/@SystemTime", "date",
"/Event/System/Computer/text()", "Computer",
"/Event/System/EventID/text()", "EventID",
"/Event/Tool/EventSummary/text()", "EventSummary",
"/Event/Tool/Level/text()", "Level",
"/Event/Tool/Type/text()", "Type",
"/Event/EventData/Status/text()", "Status",
#"/Event/EventData/(TestInfo)/text()", "TestInfo",
]
}
mutate {
replace => { "date" => "%{date[0]}" }
}
date {
match => ["date", "ISO8601"]
}
}
output {
elasticsearch {
hosts => "localhost"
index => "event_index"
workers => 1
user => logstash_internal
password => changeme
}
}
When I index the data using this configuration, only few fields are being indexed.
When I checked the error, it was because of <(TestInfo)>Machine returned</(TestInfo)> this data.
So I have removed () from the log and tried indexing the data with the same configuration file and then everything went well.
Is there a way to index the data <(TestInfo)>Machine returned</(TestInfo)> as it is without removing () from the original data.
Please help me in solving this issue.
Thanks in advance,
Dharma Sanjay Reddy M.