XML parsing logstash, adding part of XML tags to an array per event

I'm trying to parsing xml file using multiline, and inside the main tag(from mutiline pattern) I want another tag to add to an array

Issue --> I'm not able to get <INV_HW_STANDARD_MODULES> into an array and later I can use ruby on that for other processing.

Sample xml example:

logstash.conf:
input {
file
{
path => "/usr/local/src/files/Physical_Inventory.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline
{
pattern => "^\s+</INV_NES>"
negate => true
what => previous
}
}
}

filter {
#Extract the uniqueCollectionId from the file name
grok {
match => {"path" => "%{GREEDYDATA}/%{NUMBER:uniqueCollectionId}-%{GREEDYDATA}Physical_Inventory.xml"}
}

xml 
{
	source => "message"
    target => "xml_content"
    xpath => [ "//INV_NETWORKS//INV_SITES//INV_NES//INV_HW_STANDARD_MODULES", "hardwareI" ]  
}

split {
    add_field => {"Hardware" => "%{[xml_content][INV_HW_STANDARD_MODULES]}"}
}



#Add field platform, its same for all Mini-Link nodes
mutate {
    add_field => { "platform" => "Mini-Link"}
    add_field => { "isValidated" => false}
}

#Remove all unwanted fileds
mutate {
    remove_field => ["path", "message", "host", "@version"]
}

}

output {
stdout {
codec => rubydebug
}
}

I'm not able to get <INV_HW_STANDARD_MODULES> into an array and later I can use ruby on that for other processing.

Comment out all your filters and show us the result of your stdout { codec => rubydebug } output so we can see that the multiline codec is doing the right thing. I think your problems start there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.