Thanks for your quick response Badger , in interest of time in case If I need just specific fields with corresponding values instead of flattening whole hierarchy e.g. specifically
BatteryHealthCode
ChargeCapacity
PartNumber
SerialNumber
from parent xmldata.command.sendTerminalProperties.group.name : Battery .
Is there any other way like split or something you can advise .
I tried split which you suggested in below (might be ,my code is not correct)
filter {
grok {
match => { "message" => "^%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+(\[)%{DATA:logger}(\])\s+%{DATA:command} (\|)%{DATA:output}?\s*$(?<stacktrace>(?m:.*))" }
}
if "<?xml" in [stacktrace]
{
xml {
source => "stacktrace"
target => "xmldata"
}
}
split { field => "[xmldata][command][sendTerminalProperties][group][name]" }
split { field => "[xmldata][command][sendTerminalProperties][property][name]" }
split { field => "[xmldata][command][sendTerminalProperties][property][value]" }
}
Request advice.