Separate log message and transaction message

"####<Sep 19, 2016 6:54:32 AM EDT> <> <dnb_domain01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000LT25JRt1baV0U3R5Fs1NrwFW000002> <1474282472208> <User connection factory "SOAJMSModule!XmlSchemaChangeNotificationConnectionFactory" is started.> "
####<Sep 19, 2016 6:54:32 AM EDT> <> <dnb_domain01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <0000LT25JRt1baV0U3R5Fs1NrwFW000002> <1474282472210> <Creating WorkManager from "wmSOAWorkManager" WorkManagerMBean for application "UMSJMSSystemResource">
<soap:Body xmlns:ns1="">



i want to separate transaction XML and log message and have to parse ApplicationID by passing input as ApplicationBatchID

There's no XML in your post. Please format the log snippet as preformatted text using the </> toolbar button.

####<Sep 16, 2016 3:00:58 AM EDT> <Info> <ALSB Logging> <> <Mac01_mngd01> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <4098825ab168b478:-2ebacfe3:1570e6b61b8:-8000-000000000001f813> <1474009258784> <BEA-000000> < [A&L Pipeline1, A&L Pipeline_response, A&L ResponseStage, RESPONSE] Toolkit ES AuditRequest: <soapenv:Body xmlns:adap="" xmlns:gad="" xmlns:soapenv="">
 <AuditTransaction xmlns="" xmlns:ser="">
      </ser:ApplicationDetail>    </ser:ServiceHeader>
</AuditTransaction >

In this log message, I should get ApplicationID by filtering ApplicationTransactionID. I came to see XML{} function but dont know to use effectively for my requirement.

Have you used a multiline codec to get all lines of the message into a single Logstash event? Once you're there, use a grok filter to extract the timestamp and whatever else comes before the XML into their own fields, including the XML that should go into one field. Then use the xml filter to processs the XML field and extract the pieces you're interested in.

Thanks a lot magnus. Able to parse now.

I am getting some part of logs attached to filtered XML

    multiline {
     pattern => "^####"
       negate => true
        what => "next"}
    grok {
    match => ["message", "####<%{DATA:wls_timestamp}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{DATA:hostname}> <%{WORD:server}> %{GREEDYDATA:logmessage}"]
    if "_grokparsefailure"  in [tags]
    drop {}
    if "multiline" in [tags] {
    source => "logmessage"
    store_xml => "false"
    remove_namespaces => "true"
    xpath => [ "/GetDGXPacketRequest/TransactionDetail/ApplicationTransactionID/text()", "APP_ID" ]
    xpath => [ "/GetDataRequest/TransactionDetail/ApplicationTransactionID/text()", "APP_ID" ]
    xpath => [ "/GetXTEDataRequest/GetDataRequest/TransactionDetail/ApplicationTransactionID/text()", "APP_ID" ]
    xpath => [ "/AuditTransaction/ServiceHeader/TransactionDetail/TransactionID/text()", "APP_ID" ]
    add_tag => XML_IN
    if "_xmlparsefailure" in [tags]
    drop {}
    if "XML_IN" not in [tags]
    drop {}
    if  "XML_IN" in [tags]{
    add_field => ["MSG_XML", "%{logmessage}"]
    add_field => ["HOST_PROC", "%{host}"]
    remove_field => [ "@version", "path", "host", "wls_topic", "logmessage", "server", "severity", "message", "hostname"]
**My Output has still some soap tags**
"MSG_XML" => "  <pcm:GetDataRequest ServiceVersionNumber=\"\" xmlns:pcm=\"\">\n    <TransactionDetail>\n      <ApplicationTransactionID>Sample_915</ApplicationTransactionID>\n      <SubmittingOfficeID>XML dnbToolkit</SubmittingOfficeID>\n    </TransactionDetail>\n    <GetDataRequestDetail>\n      <InquiryDetail>\n        <DUNSNumber>001368083</DUNSNumber>\n        <CountryISOAlpha2Code>US</CountryISOAlpha2Code>\n      </InquiryDetail>\n      <ProductSpecification>\n        <TradeUpIndicator>true</TradeUpIndicator>\n        <ProductDataXPathText>Product/Organization/Assessment/SupplierEvaluationRiskScore</ProductDataXPathText>\n   </InquiryReferenceDetail>\n    </GetDataRequestDetail>\n  </pcm:GetDataRequest>\n</soap-env:Body>>\n####<Sep 15, 2016 8:11:34 AM EDT> <Info> <ALSB Logging> <> <Mac01_mngd01> <[ACTIVE] ExecuteThread: '135' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <25b3a1ebf1f8cf6d:658f2dca:1572c2cbe81:-7ffb-0000000000018cba> <1473941494796> <BEA-000000> < [RouteToPCMDataService, null, null, REQUEST] Header GDP Flow: <soapenv:Header xmlns:soapenv=\"\">",

Part trying to remove : from ####

Is it possible to fetch single tag constantly like (irrespective of positions) across all XML's instead of XPATH ??