Work with xml in logstash

Elastic Stack Logstash
1

Hi all, I have a xml data as below which is harvesting by filebeat and sending to logstash.

<event name="first check">
	<Data name="id">
		<Value>5</Value>
	</Data>
	<Data name="object_id">
		<Value>123</Value>
	</Data>
	<Data name="en">
		<Value>t</Value>
	</Data>
	<Data name="ex">
		<Value>5</Value>
	</Data>
	<Data name="cpt">
		<Value>0</Value>
	</Data>
	<Data name="pds">
		<Value>0</Value>
	</Data>
	<Data name="lr">
		<Value>0</Value>
	</Data>
	<Data name="wts">
		<Value>0</Value>
	</Data>
	<Data name="rt">
		<Value>1</Value>
	</Data>
	<Data name="object_name">
		<Value></Value>
	</Data>
	<Data name="st">
		<Value>hi</Value>
	</Data>
	<action name="mn">
		<Value>dw</Value>
	</action>
	<action name="sn">
		<Value>ad</Value>
	</action>
	<action name="hn">
		<Value>123</Value>
	</action>
	<action name="time1">
		<Value>11/14/2022 7:33:23 AM +00:00</Value>
	</action>
</event>

I want to store it as key value in elasticsearch as below:

id: 5
object_id: 123
en: t
ex: 5
cpt: 0
pds: 0
lr: 0
wts: 0
rt: 1
object_name: hh
st: hi
mn: dw
sn: ad
hn: 123
time1: 11/14/2022 7:33:23 AM +00:00

how can i parse this xml using logstash.the output of xml filter is not those which is expected. Any advice will be so appreciated.


xml { source => "message" 
      store_xml => true 
	  target => "theXML" 
	  force_array => false 

	  }

Regards

2

You will need a ruby filter unless you know all the field names in advance (in which case you can use a mutate filter).

    xml { source => "message" target => "[@metadata][theXML]" }
    ruby {
        init => '
            def flatten (event, field)
                f = event.get(field)
                if f.respond_to? "each"
                    f.each { |x|
                        if x["Value"].is_a? Array and x["name"]
                            event.set(x["name"], x["Value"][0])
                        end
                    }
                end
            end
        '
        code => '
            flatten(event, "[@metadata][theXML][Data]")
            flatten(event, "[@metadata][theXML][action]")
        '
    }

will produce

      "time1" => "11/14/2022 7:33:23 AM +00:00",
         "ex" => "5",
        "wts" => "0",
"object_name" => nil,

etc.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.