XML LOGSTASH configuration

Aylwinns_Tan · June 5, 2017, 3:33pm

Hi all,

Im trying to configure logstash for an XML log but i cant seem to get it right.

This is my configuration:
xml {
source => "message"
target => "Full.XML"
xpath =>
[
"/LogRoot/LogMessage/text()", "Info",
"/LogRoot/GuiRoot/batch[@execution="synchronous"]/getJobDetailsResponse/user/text()", "User"
] }

And this is my error:

Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>"/LogRoot/GuiRoot/batch\[\@execution\=\"synchronous\"\]/getJobDetailsResponse/user/text()", "backtrace"=>["nokogiri/XmlXpathContext.java:169:in evaluate'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:165:inxpath'", "org/jruby/RubyArray.java:2414:in map'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:156:inxpath'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:153:in filter'", "org/jruby/RubyHash.java:1342:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:152:in filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:145:indo_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:164:in multi_filter'", "org/jruby/RubyArray.java:1613:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:161:in multi_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filter_delegator.rb:43:inmulti_filter'", "(eval):1387:in initialize'", "org/jruby/RubyArray.java:1613:ineach'", "(eval):1383:in initialize'", "org/jruby/RubyProc.java:281:incall'", "(eval):557:in filter_func'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:370:infilter_batch'", "org/jruby/RubyProc.java:281:in call'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:224:ineach'", "org/jruby/RubyHash.java:1342:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:223:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:369:in filter_batch'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:350:inworker_loop'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:317:in start_workers'"]} [2017-06-05T16:46:37,964][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<Nokogiri::XML::XPath::SyntaxError: /LogRoot/GuiRoot/batch\[\@execution\=\"synchronous\"\]/getJobDetailsResponse/user/text()>, :backtrace=>["nokogiri/XmlXpathContext.java:169:inevaluate'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:165:in xpath'", "org/jruby/RubyArray.java:2414:inmap'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/nokogiri-1.7.0.1-java/lib/nokogiri/xml/searchable.rb:156:in xpath'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:153:infilter'", "org/jruby/RubyHash.java:1342:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-filter-xml-4.0.2/lib/logstash/filters/xml.rb:152:infilter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:145:in do_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:164:inmulti_filter'", "org/jruby/RubyArray.java:1613:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filters/base.rb:161:inmulti_filter'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/filter_delegator.rb:43:in multi_filter'", "(eval):1387:ininitialize'", "org/jruby/RubyArray.java:1613:in each'", "(eval):1383:ininitialize'", "org/jruby/RubyProc.java:281:in call'", "(eval):557:infilter_func'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:370:in filter_batch'", "org/jruby/RubyProc.java:281:incall'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:224:in each'", "org/jruby/RubyHash.java:1342:ineach'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:223:in each'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:369:infilter_batch'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:350:in worker_loop'", "/murex/ELK/ELKinstall/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:317:instart_workers'"]}

Thanks for the help

Greatly appreciated

magnusbaeck · June 8, 2017, 4:33am

Logstash doesn't treat character escapes very well. Instead of

"/LogRoot/GuiRoot/batch[\@execution\=\"synchronous\"]/getJobDetailsResponse/user/text()"

try this:

'/LogRoot/GuiRoot/batch[@execution="synchronous"]/getJobDetailsResponse/user/text()'

Aylwinns_Tan · June 8, 2017, 5:15am

thanks it's working now.

system · July 6, 2017, 5:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Xml parse in logstash Logstash	10	310	March 12, 2024
Xml parcing problem Logstash	5	337	July 9, 2019
Difficulties to parse/filter on xml file Logstash	3	1618	July 6, 2017
Need proper example and resource for xml filter plugin Kibana	4	268	February 13, 2023
Logstash Ruby exceptions Logstash	5	4297	July 6, 2017

XML LOGSTASH configuration

Related Topics