XML parser, alter field

Soren_vdc · April 7, 2021, 7:36am

Hi,

I have this setup for XML parser:

   xml {
    source => "message"
    target => "xml"
            add_field => {
                Audit_Type              => "%{[xml][Audit_Type]}"
                Ext_Name                => "%{[xml][Ext_Name]}"
        }
   }

For some documents the Ext_Name is empty and this value is shown in the document in ELK:
%{[xml][Ext_Name]}

To change that to "blank", I tried with this:

alter {
        condrewrite => [
"Ext_Name","%{[xml][Ext_Name]}",""

]
}

But this "%{[xml][Ext_Name]}" is not working because logstash will see this as variable. Is there a way to escape this in the alter plugin that logstash see this as text and not as variable?

thx!

Soren_vdc · April 8, 2021, 7:28am

I can change it by IF function:
if "xml][Ext_Name" in [Ext_Name]{ mutate{ replace => {"Ext_Name" => ""} }

But is there a procedure to search for the Value "xml][" in all fields and change to ""?

Cad · April 8, 2021, 8:54am

Hi,

Yes you can use gsub from mutate filter documentation

mutate {
    gsub => [
         "Ext_Name", "xml][", ""
    ]
}

Cad

Badger · April 8, 2021, 3:55pm

You may be able to do this using a prune filter. The default operation of the filter is to remove any field that matches the regexp %{[^}]+}.

system · May 6, 2021, 3:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.