OK, then you should try these two and see which one you prefer
xml { source => "message" target => "theXML" store_xml => true }
split { field => "[theXML][suite][0][test][0][kw]" }
xml { source => "message" target => "theXML" store_xml => true force_array => false }
split { field => "[theXML][suite][test][kw]" }
The latter will give you events like this
{
"message" => "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<robot generated=\"20190204 14:20:19.932\" generator=\"Robot 3.0.3.dev20170213 (Python 2.7.15 on win32)\">\n [...]",
"tags" => [
[0] "multiline"
],
"@version" => "1",
"theXML" => {
"generated" => "20190204 14:20:19.932",
"generator" => "Robot 3.0.3.dev20170213 (Python 2.7.15 on win32)",
"suite" => {
"source" => "C:\\BAT-Copy\\bat-electron\\out-tsc\\main\\main\\resources\\robotframework\\acceptance\\Test_Case_1.txt",
"test" => {
"kw" => {
"arguments" => {
"arg" => "Some more text I want to index"
},
"doc" => "Some other text I want to index"
},
"id" => "s1-t1",
"name" => "Default"
},
"id" => "s1",
"name" => "Test Case 1"
}
}
}
Typically after using xml+split you will want to use mutate+rename to move fields around.