Please give me easy sample to use xml filter

Elastic Stack Logstash
1

Hello.
I'd like to use XML filter,but I didn't use it very well.

please give me easy sample to use xml filter.

sincerely.

2

Please give us an example of the XML you want to parse and what result you want to get from it.

3

Hello, thanks for following.

please read following contents.

1)contents of xml file

<?xml version="1.0" encoding="UTF-8">
< ROOT number="34">
< EVENTLIST>
< EVENT name="hey"/>
< EVENT name="you"/>
< /EVENTLIST>
< /ROOT>

2)contents of conf file

input{
file {
path => "C:\test.xml"
type => "building"
start_position => "beginning"
}
}

filter {
xml {
store_xml => "false"
source => "message"
target => "EVENT"
xpath => ["/ROOT/@number ","number","/ROOT/EVENTLIST/EVENT/@name","name"]
}
}

output
{
elasticsearch{
actin => "index"
host => "localhost"
index => "XMLTest"
protocol => "transport"
cluster => "cluster_name"
manage_template => false
}
stdout { codec => rubydebug}
}
}

I'm tried to use this conf file and xml file.
The xml date didn't add Elasticsearch.

4

Please edit your post and format your XML as code so it won't get stripped away.

5

sorry, i posted it again.

6

The xml date didn't add Elasticsearch.

What XML date? The modification time of the input file?

7

I found this xml date on the following Web site.

The modification time of the input file?
yes, I did.
Just in case I created a new input file when I start logstash with the conf file.

8

Logstash has nothing built in for picking up the input file's modification time. You could write a small Ruby snippet in a ruby filter though; see http://stackoverflow.com/a/29970500/414355.

9

I added this code

filter {
xml{
...
}
ruby {
code => 'event["mtime"] = File.mtime(event["path"])'
}
}

but I can not add xml date.

this is error maybe.
[error]
failed action with response of 400, dropping action

10

ruby {
code => 'event["mtime"] = File.mtime(event["path"])'
}

You did replace path in the Ruby snippet with the actual path to the file, right?

failed action with response of 400, dropping action

Leave ES out of this until your messages look as you expect. Solve one problem at a time.

That said, I'd look in the Elasticsearch logs for clues. Cranking up the Logstash log level with --verbose or even --debug could also be useful.

11

thanks for your comment!
I am poised to fail this issue.
I don't understand this problem.
so, I gave up to use this xml filter.