Trouble parsing xml file

Miguel_Leite · October 23, 2018, 10:50am

Hey there,
New to ELK and I was trying to parse the following xml file:

<msg time='2018-09-04T20:47:31.182+01:00' org_id='oracle' comp_id='rdbms'
 type='UNKNOWN' level='16' host_id='HHHHH'
 host_addr='XXX.XX.XXX.X' pid='YYYY' version='1'>
 <txt>Creating new log segment:
 </txt>
</msg>

I have the following logstash config file:

input {
        beats {
                port => 5044
        }
        if "xml" in [tags] {
                codec => multiline {
                        pattern => "<msg time"
                        negate => "true"
                        what => "next"
                }
        }
}
filter { 
       else if "xml" in [tags] {
                xml {
                        source => "message"
                        store_xml => false
                        xpath => [
                                   "/msg/text()", "msg_xml",
                                   "/msg/txt/text()", "txt_xml"
                        ]
                }
        }
}

Shouldn't it be working? The fields won't parse...

balumurari1 · October 24, 2018, 10:34am

hope this helps you,

wwalker · October 24, 2018, 7:59pm

I believe your error is in your multiline codec config. You are saying if the pattern does not match <msg, stick it on the next line. So I think you're getting a bunch of <msg time='2018-09-04T20:47:31.182+01:00' org_id='oracle' comp_id='rdbms' lines with the rest of the relevant information being pushed down to the next line. Since it's not proper XML formatting, it probably throws a parsing error.

In the multiline codec config, change it to what => "previous". That changes it to, "If the line does not start with <msg time, stick it on the previous line."

system · November 21, 2018, 7:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.