Xml plugin getting text with characters

bigster · May 9, 2019, 2:58pm

Hi,

I'm getting the XML values from a QUEUE and when i get an element that have the '&' character it transforms into the &amp string.

Here are the before and after:

gz$LDQ@vnbkj7DNUVwwjrnGa0&|2,a)

Here are the code of the filter, the field in question is the service_key:

xml{
source => "message"
store_xml => false
remove_namespaces => true
force_array => false
xpath => [
"/LogMessage/TransactionID/text()", "transaction_id",
"/LogMessage/ServiceKey/text()", "service_key"
]
}

Any ideas why this happens and how can i resolve this?

Cheers,

bigster · May 9, 2019, 3:01pm

Strange the field after passing to the interpreter of the browser, is correct.
The second value instead of a '&' it has the '&amp'.
This field is used after in a jdbc_streaming plugin and it has the wrong value.

Badger · May 9, 2019, 3:26pm

I do not see any difference between the before and after. You may need to use appropriate markdown to quote your examples.

bigster · May 9, 2019, 4:12pm

This is what i get from the XML:

            "service_key" => "gz$LDQ@vnbkj7DNUVwwjrnGa0&amp;|2,a)",

and instead of & it should be '&'

wwalker · May 9, 2019, 4:24pm

You could always setup a mutate pass on the field and use gsub to replace &amp with &

mutate {
  gsub => [
  "service_key", "&amp", "&"
  ]
}

bigster · May 10, 2019, 2:04pm

Hi,

The problem using that is that i can't predict that's the only character that needs to be treated.
There's no other way of doing something in the XML filter plugin?

wwalker · May 10, 2019, 2:55pm

The source of the problem is the parsing engine the XML plugin uses and it's mistreatment of a special character. You can safely assuming that alphanumeric characters wont have this occur, and based on your current results, $@ are safe as well. All that in mind, unless we get some input from the plugin dev (open a ticket on github?), you could perform a test ingest of each special character and then add to the mutate rule for those that are improperly parsed.

Badger · May 10, 2019, 3:41pm

If you have HTML entities in a string then there is a third-party filter that can remove them.

bigster · May 16, 2019, 5:49pm

The solution wasn't pretty, but solves the problem.

wwalker · May 17, 2019, 4:09am

What was your solution, a mutate filter?

bigster · May 17, 2019, 10:02am

The solution that you provided in the first place, a mutate filter with a lot of characters to be gsubed.

cheers,

system · June 14, 2019, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.