Dear,
I am a new one in ELK suite, i want use logstash, to update some fields in xml file before insert them in elastcis.
My problem is that the xml file, has a nested fields, and from file tof ile, the numebr of netsed field is not same.
**here after an xml file**
<?xml version="1.0"?>
-<test1 xmlns="test1s.model.toto.com">
<Version>V01.13</Version>
<T_ID>370501</T_ID>
<Stt>5</Stt>
<S_ID2>3705</S_ID2>
<Date>2016-12-13T10:04:54.697Z</Date>
-<Opes>
-<Ope Type="1">
<Start>2016-12-13T10:04:55.570Z</Start>
<End>2016-12-13T10:04:56.120Z</End>
<S_ID2>3705</S_ID2>
<Vrdt Value="2">2</Vrdt>
</Ope>
-<Ope Type="3">
<Start>2016-12-13T10:05:36.883Z</Start>
<End>2016-12-13T10:05:44.287Z</End>
<Log_tst>scv</Log_tst>
<Wk_test>toto_tst</Wk_test>
<S_ID2>3705</S_ID2>
<Vrdt Value="0">0</Vrdt>
</Ope>
</Opes>
<UpdateDateTime>2016-12-13T10:05:45.030Z</UpdateDateTime>
<LastStateDateTime>2016-12-13T10:05:45.027Z</LastStateDateTime>
</test1>
here a logstash pipeline file
input {
file {
path => "/usr/share/img_pro/**/*.xml"
type => "data_xml"
codec => plain {
charset => "ISO-8859-1"
}
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
if [type] == "data_xml" {
xml {
source => "message"
store_xml => true
target => "parsed_xml"
}
}
ruby {
code => "
event['[parsed_xml][Opes[0]][Ope]'].each {|Op| event ['[Op][Vrdt[0]][Value]'] = "Val1" }
"
}
}
mutate {
remove_field => ["message", "host", "port", "tags", "@version", "@timestamp"]
}
}
output {
if "_xmlparsefailure" not in [tags]
{
stdout { codec => rubydebug }
}else {
file {
path => "/usr/share/bad_xml/xml-bad.tsv"
}
}
}
What i want is to update field " Vrdt" to "test_0" if it's value is 0, to to "test_1" if it's value is 1, ... for exemple.
Thank you for your help