XML parser, alter field

Soren_vdc · April 7, 2021, 7:36am

Hi,

I have this setup for XML parser:

   xml {
    source => "message"
    target => "xml"
            add_field => {
                Audit_Type              => "%{[xml][Audit_Type]}"
                Ext_Name                => "%{[xml][Ext_Name]}"
        }
   }

For some documents the Ext_Name is empty and this value is shown in the document in ELK:
%{[xml][Ext_Name]}

To change that to "blank", I tried with this:

alter {
        condrewrite => [
"Ext_Name","%{[xml][Ext_Name]}",""

]
}

But this "%{[xml][Ext_Name]}" is not working because logstash will see this as variable. Is there a way to escape this in the alter plugin that logstash see this as text and not as variable?

thx!

Soren_vdc · April 8, 2021, 7:28am

I can change it by IF function:
if "xml][Ext_Name" in [Ext_Name]{ mutate{ replace => {"Ext_Name" => ""} }

But is there a procedure to search for the Value "xml][" in all fields and change to ""?

Cad · April 8, 2021, 8:54am

Hi,

Yes you can use gsub from mutate filter documentation

mutate {
    gsub => [
         "Ext_Name", "xml][", ""
    ]
}

Cad

Badger · April 8, 2021, 3:55pm

You may be able to do this using a prune filter. The default operation of the filter is to remove any field that matches the regexp %{[^}]+}.

system · May 6, 2021, 3:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How ot deal with empty field in xml parser? Logstash	3	666	February 27, 2020
XML + Mutate plugins not working as espected Logstash	3	350	January 25, 2019
Im stuck at formatting data while trying to send xml file to Elasticsearch Logstash	2	227	August 3, 2021
How to change type of field in logstash for xml plugin Logstash	2	367	September 19, 2021
Log stash xml parse Logstash	2	416	May 8, 2017

XML parser, alter field

Related topics