Split xml like string

mortenb123 · October 12, 2018, 10:31am

Hi

How can I easily parse the following xml like string into kv strings:

"controllerstring" => "<dev>SC-M</dev><fw>SC-1 6.1.0-1 Jun 19 2018</fw><pid>48DA97EA-000229</pid><pname></pname><pdate>1222285290</pdate><mac>00:90:c2:d9:1e:c5</mac><clock>1223642611</clock><dst>60</dst><val>1</val><opt>3</opt><ip>192.168.1.103</ip>"

if([task] and [task] == "WebRaw") {
grok {
match => { "message" => "(?.+)$" }
tag_on_failure => []
}
if("" in [controllerstring]) {
xml {
source => "controllerstring"
target => "parsed"
store_xml => "false"
}
}
}

{
                "task" => "WebRaw",
           "indexpart" => "2018-10-10",
            "loglevel" => "Debug",
            "@version" => "1",
                 "mac" => "00:90:c2:d9:1e:c5",
          "@timestamp" => 2018-10-10T10:43:13.000Z,
                "host" => "MB-PC",
          "proxy-uuid" => "e8c1a9b8-0dbb-4aef-90ca-aebff3baea72",
             "message" => "(Web, Raw) 77.16.213.106 << [] <dev>SC-M</dev><fw>SC-1 6.1.0-1 Jun 19 2018</fw><pid>48DA97EA-000229</pid><pname></pname><pdate>1222285290</pdate><mac>00:90:c2:d9:1e:c5</mac><clock>1223642611</clock><dst>60</dst><val>1</val><opt>3</opt><ip>192.168.1.103</ip>",
    "controllerstring" => "<dev>SC-M</dev><fw>SC-1 6.1.0-1 Jun 19 2018</fw><pid>48DA97EA-000229</pid><pname></pname><pdate>1222285290</pdate><mac>00:90:c2:d9:1e:c5</mac><clock>1223642611</clock><dst>60</dst><val>1</val><opt>3</opt><ip>192.168.1.103</ip>",
                "type" => "sensioproxy",
            "sequence" => 0
}

mortenb123 · October 15, 2018, 7:10am

Currently I do the following, buit this does not account for new values:

if([task] and [task] == "WebRaw") {
grok {
match => { "message" => "(?.+)$" }
tag_on_failure =>
}
if("" in [controllerstring]) {
grok {
match => { "controllerstring" => "<dev>(?.+)</dev>" }
tag_on_failure =>
}
grok {
match => { "controllerstring" => "<fw>(?.+)</fw>" }
tag_on_failure =>
}
grok {
match => { "controllerstring" => "<ip>(?.+)</ip>" }
tag_on_failure =>
}
grok {
match => { "controllerstring" => "<cd>(?.+)</cd>" }
tag_on_failure =>
}
grok {
match => { "controllerstring" => "<hw>(?.+)</hw>" }
tag_on_failure =>
}
grok {
match => { "controllerstring" => "<serial>(?.+)</serial>" }
tag_on_failure =>
}
mutate {
remove_field => "controllerstring"
}

system · November 12, 2018, 7:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.