Hi,
One of our production machines outputs the log into an xml file. Said xml can have 3 different structures:
<useraction>
...
<error>
...
</error>
...
</useraction>
or
<useraction>
...
</useraction>
or
<error>
...
</error>
I'm wondering how my input and filter should look like to make sure that all three types are properly parsed as an event. Is this possible, or do i have to create three different inputs?
You should be able to feed all three to the same xml filter.
Hi @Badger.
But how my input {} should look like to make sure that the multiline file is properly split?
input {
file {
path => "/test/log*.xml"
start_position => "beginning"
codec => multiline {
pattern => "<error>"
what => "previous"
negate => "true"
}
}
}
Right now it looks like above. It works fine only with second variant. Whenever occurs within the structure is not preserved.
You can handle the last two using alternation
pattern => '</(useraction|error)>' negate => true what => "next"
However, I cannot think of any way to handle nested entries.
Thank you, I will give it a try!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.