Xml filtering subfields

Badger · April 18, 2019, 4:17pm

I don't think it makes sense to use two xml filters on the same xml. I would save the parsed xml and work on that.

filter {
    xml {
        source => "message"
        target => "[@metadata][theXML]"
        store_xml => true
        remove_namespaces => true
        force_array => false
        remove_field => ["message"]
    }

    split {
        field => "[@metadata][theXML][Event]"
    }

    ruby {
        code => '
            e = event.get("[@metadata][theXML][Event][EventData][Data]")
            if e
                e.each { |x|
                    event.set(x["Name"], x["content"])
                }
            end
        '
    }
    mutate { copy => { "[@metadata][theXML][Event][Computer]" => "Computer" } }
}

You can use a rubydebug output to inspect the parsed XML.

output { stdout { codec => rubydebug { metadata => true } } }

Topic		Replies	Views
Indexing Xml subfields as a new field Logstash	12	1102	July 28, 2021
XML to Elasticsearch via Logstash Logstash	47	3539	April 3, 2018
Help with parsing XML content Logstash	16	19662	July 6, 2017
Logstash split xml fields Logstash	22	5469	July 14, 2017
XML Filter Help Required Logstash	7	7723	July 6, 2017

Xml filtering subfields

Related topics