XML timestamp extraction?

eclipsed450 · July 31, 2019, 9:50pm

I have the following in an XML event, and want to put it into it's own field, but none of the XMLPATH I've tried have worked. Help??

   <Event>
      <System>
            ...
            <TimeCreated SystemTime="2019-07-30T13:05:26.543836000Z" />
            ...
      </System>
            <EventData>
            ...
            </EventData>
   </Event>

eclipsed450 · July 31, 2019, 11:35pm

@Badger since you're so helpful

Badger · August 1, 2019, 12:36pm

Try

xpath => { "/Event/System/TimeCreated/@SystemTime" => "foo" }

eclipsed450 · August 1, 2019, 2:48pm

Looks like that didn't work

[ERROR] 2019-08-01 07:45:30.487 [Converge PipelineAction::Create<main>] xml - Invalid setting for xml filter plugin:

  filter {
    xml {
      # This setting must be a hash
      # This field must contain an even number of items, got 11
      xpath => ["/Event/System/EventID/text()", "System.EventID", "/Event/System/EventName/text()", "System.EventName", "/Event/System/Result/text()", "System.Result", "/Event/System/Channel/text()", "System.Channel", "/Event/System/Computer/text()", "System.Computer", ["/Event/System/TimeCreated/@SystemTime", "System.EventTime"]]
      ...
    }
  }
[ERROR] 2019-08-01 07:45:30.495 [Converge PipelineAction::Create<main>] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Something is wrong with your configuration.", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/config/mixin.rb:87:in `config_init'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:126:in `initialize'", "org/logstash/plugins/PluginFactoryExt.java:81:in `filter_delegator'", "org/logstash/plugins/PluginFactoryExt.java:251:in `plugin'", "org/logstash/execution/JavaBasePipelineExt.java:50:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:24:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:in `block in converge_state'"]}

eclipsed450 · August 1, 2019, 3:09pm

I used xpath => [ "/Event/System/TimeCreated/@SystemTime", "System.EventTime" ] and it worked, thanks for pointing me in the right direction, again

Badger · August 1, 2019, 3:48pm

If you use an array logstash will convert it to a hash using pairs of array entries. That is why it says it has to have an even number of entries.

system · August 29, 2019, 3:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash XML parsing problem Logstash	3	1354	January 18, 2018
Date parsing issue for getting timestamp Logstash	4	1247	May 18, 2017
Getting timestamp field from XML attribute Logstash	11	1164	February 16, 2022
Problem with xml filter Logstash	12	4022	May 2, 2017
Extract data with Logstash and Xpath Logstash	3	5244	July 3, 2018

XML timestamp extraction?

Related topics