Hey!
I'm a complete beginner to everything elasticsearch/logstash/kibana related, so please have mercy. I have a xml-File with many Eventlogs that is (simplified) structured like this:
<xmldata>
<Event>
<Computer>...</Computer>
...
<EventData>
<Data Name = "ErrorCode"> 0 </Data>
<Data Name = "PrincipalSamName"> .support </Data>
<Data Name = "Status"> 0xc00484b2 </Data>
...
</EventData>
</Event>
<Event>
...
</Event>
</xmldata>
My problem is, that I don't know how to properly acces all the subfields in the EventData Block.
But like that I only get the first subfield, so just "Errorcode" => "0".
But I need all the fields.
I hope you're able to understand my problem, and I'm sure (or at least I hope so) there's an easy solution to it, but I feel like I've tried everything and it won't work properly.
Really hope somebody can help me, because I've been trying to firgure this out for days now.
Thanks in advance!
The challenge is this is a piece of manufacturing equipment and each recipe has the same format but depending on the items it is inspecting them you will see a different count. What I posted was only 3 inspections on a printed circuit board, but the actual file has over 10,000 inspections so just to write the configuration file for that would be a nightmare. Hopefully this code will work through it.
First of all, sorry that it took me so long to reply, had no access to the files over the long weekend. Thanks for your input! So I guess there's not just a simple line to add to my filter as it was? Cause everything else was working fine, so I was hoping it wasnt all "useless".
But I will try your suggestion now. Can I ask where the @metadata comes from though? Just trying to actually understand everything.
Unfortunately that doesn't work for me. If I put it in like that, I get a xmlparsefailure and a split_type_failure as well. I also tried adding the missing [xmldata] before all of the [Events], but still not better. It all comes out as one message, not several Events. If I make the split like I did in my config file, that works at least, but then it's just all in one block called "Event". Unfortunately I know nothing about ruby, so no idea what I could change really.
If you are getting an _xmlparsefailure tag then the [message] field is not valid XML. We cannot help you with that unless you can show us the actual [message] field.
exception=>#<REXML::ParseException: No close tag for /xmldata
Your multiline pattern is not capturing the close tag. If you want to consume the entire file you could use read mode for the file input. Alternatively, use a pattern that will never match and emit the event based on a timeout
what do you mean by read mode? Like I said, I'm completeley new to logstash, so sorry for the stupid questions, but google couldnt help me either.
Also, why did it work with my original config file if I didn't change anything in the input-section?
Alright, thank you, that seems to work in some ways now.
Though now I get a ruby_exception: "no implicit conversion of String to Integer" for the Events that have a field with the name "Status" that contains something like "0xc00484b2", it works fine for the other Events without that field though. Any tips on how to fix that?
Also, now my file gets deleted as soon as I run logstash. Has that something to do with the ruby exception or is there another problem that could cause that?
I figured out that the file gets deleted because of the read mode, it deletes the file after it's done with it by default.
So I'm only left with the ruby_exception.
[ERROR] 2019-04-24 13:41:34.697 [[main]>worker0] ruby - Ruby exception occurred: no implicit conversion of String into Integer
[ERROR] 2019-04-24 13:41:34.716 [[main]>worker0] ruby - Ruby exception occurred: no implicit conversion of String into Integer
that's what it says. Or do you need anythign else?
Also, tried out a few things, and I think the reason is not the "Status" field itself, but the fact that it is the only one in the EventData-Block for the specific events, if that makes any sense.
Like, when there's more than one field like here:
it throws the ruby_exception. I tried adding another field to those Events and then it worked, so that's why I guess that's the problem. What can I do about that?
Hey, sorry to address the topic again, but another problem came up and I can't seem to find a solution for it myself since I assume it requires ruby knowledge again, so I hope you can help me with it again.
I get a _rubyexception for all the Events that look like this:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Qlik Sense Service Dispatcher"></Provider>
<EventID Qualifiers="0">300</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2019-01-03 08:36:19.361464"></TimeCreated>
<EventRecordID>139827</EventRecordID>
<Channel>Application</Channel>
<Computer>...</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data><string>Child process (2624) started
Facility = Next-generation Broker Service
ExePath = Node\node.exe
Script = ..\BrokerService\index.js
Command Line"Node\node.exe" "..\BrokerService\index.js" --port=4900 --log-path="..."</string>
</Data>
<Binary></Binary>
</EventData>
</Event>
So the problem is, that the Event-Block doesn't follow the usual structure of < Data Name=API> ...</Data> but instead there's just one big block.
Any tips on how to include that in the ruby filter?
btw, the exception I get is: no implicit conversion of nil into string.
When I tried it on a few selected Events they at least still showed up in Kibana, just with the tag _rubyexception.
But now that I've tried it with around 60,000 Events they won't even go through to elasticsearch, there I get the following warning:
[WARN ] 2019-05-15 14:22:01.385 [[main]>worker1] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>"128712", :_index=>"evtx44", :_type=>"xmlfiles", :routing=>nil}, #<LogStash::Event:0x4d92f2cc>], :response=>{"index"=>{"_index"=>"evtx44", "_type"=>"xmlfiles", "_id"=>"128712", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"object mapping for [theXML.Event.EventData.Data] tried to parse field [Data] as object, but found a concrete value"}}}}
when it gets a string elasticsearch sets its type to "text", not "object', and you cannot have both types in the same field. To resolve this, if the ruby code has extracted all the interesting data from [theXML][Event][EventData][Data] when it is an Array or Hash, then use
event.remove(FieldName)
in both branches of the if. Otherwise add a branch to the if to turn text into object
Thanks for your help again! It works a lot better now, I get a lot more events through to Elasticsearch, but still not all for some reason. I don't get any more errors, the only thing that shows up is: (ruby filter code):3: warning: already initialized constant FieldName
all over the screen before the actual data appears. Could that have something to do with it?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.