XML LOGSTASH configuration

Aylwinns_Tan · June 5, 2017, 3:33pm

Hi all,

Im trying to configure logstash for an XML log but i cant seem to get it right.

This is my configuration:
xml {
source => "message"
target => "Full.XML"
xpath =>
[
"/LogRoot/LogMessage/text()", "Info",
"/LogRoot/GuiRoot/batch[@execution="synchronous"]/getJobDetailsResponse/user/text()", "User"
] }

And this is my error:

Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>"/LogRoot/GuiRoot/batch\[\@execution\=\"synchronous\"\]/getJobDetailsResponse/user/text()", "backtrace"=>["nokogiri/XmlXpathContext.java:169:in evaluate'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:165:inxpath'", "org/jruby/RubyArray.java:2414:in map'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:156:inxpath'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:153:in filter'", "org/jruby/RubyHash.java:1342:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:152:in filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:145:indo_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:164:in multi_filter'", "org/jruby/RubyArray.java:1613:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:161:in multi_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filter_delegator.rb:43:inmulti_filter'", "(eval):1387:in initialize'", "org/jruby/RubyArray.java:1613:ineach'", "(eval):1383:in initialize'", "org/jruby/RubyProc.java:281:incall'", "(eval):557:in filter_func'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:370:infilter_batch'", "org/jruby/RubyProc.java:281:in call'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:224:ineach'", "org/jruby/RubyHash.java:1342:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:223:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:369:in filter_batch'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:350:inworker_loop'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:317:in start_workers'"]} [2017-06-05T16:46:37,964][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<Nokogiri::XML::XPath::SyntaxError: /LogRoot/GuiRoot/batch\[\@execution\=\"synchronous\"\]/getJobDetailsResponse/user/text()>, :backtrace=>["nokogiri/XmlXpathContext.java:169:inevaluate'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:165:in xpath'", "org/jruby/RubyArray.java:2414:inmap'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:156:in xpath'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:153:infilter'", "org/jruby/RubyHash.java:1342:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:152:infilter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:145:in do_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:164:inmulti_filter'", "org/jruby/RubyArray.java:1613:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:161:inmulti_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filter_delegator.rb:43:in multi_filter'", "(eval):1387:ininitialize'", "org/jruby/RubyArray.java:1613:in each'", "(eval):1383:ininitialize'", "org/jruby/RubyProc.java:281:in call'", "(eval):557:infilter_func'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:370:in filter_batch'", "org/jruby/RubyProc.java:281:incall'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:224:in each'", "org/jruby/RubyHash.java:1342:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:223:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:369:infilter_batch'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:350:in worker_loop'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:317:instart_workers'"]}

Thanks for the help

Greatly appreciated

magnusbaeck · June 8, 2017, 4:33am

Logstash doesn't treat character escapes very well. Instead of

"/LogRoot/GuiRoot/batch[\@execution\=\"synchronous\"]/getJobDetailsResponse/user/text()"

try this:

'/LogRoot/GuiRoot/batch[@execution="synchronous"]/getJobDetailsResponse/user/text()'

Aylwinns_Tan · June 8, 2017, 5:15am

thanks it's working now.

system · July 6, 2017, 5:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.