Xpath throws ClassCastException for one particular XML node

Hi,

I am using the XML filter to ingest a file that looks like this:

<Events>
... other events
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	<System>
		<Provider Name="Microsoft-Windows-WinINet" Guid="{43d1a55c-76d6-4f7e-995c-64c711e5cafe}" />
		<EventID>108</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>503</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8000000000000001</Keywords>
		<TimeCreated SystemTime="2020-03-27T14:08:47.392601500+00:00" />
		<Correlation ActivityID="{00cc000c-12e5-0000-dc12-fc05e043051f}" />
		<Execution ProcessID="4828" ThreadID="1532" ProcessorID="0" KernelTime="24105" UserTime="18705" />
		<Channel>Microsoft-Windows-WinINet/Analytic</Channel>
		<Computer />
	</System>
	<EventData>
		<Data Name="ConnectionHandle">0xCC000C</Data>
		<Data Name="_ServerNameLength">17</Data>
		<Data Name="ServerName">xxxyyyyy.zzzz.com</Data>
		<Data Name="ServerPort">   15148</Data>
		<Data Name="_ServiceLength">4</Data>
		<Data Name="Service">http</Data>
	</EventData>
	<RenderingInfo Culture="en-GB">
		<Level>Information </Level>
		<Opcode>Info </Opcode>
		<Keywords>
			<Keyword>Flagged on all WinINet events dealing with creation or destruction of INTERNET handles </Keyword>
		</Keywords>
		<Task>WININET_HTTP_REQUEST_HANDLE_CREATED </Task>
		<Message>Request handle 0xCC000C Server Details: Server=xxxyyyyy.zzzz.com Port=15148 Service=http </Message>
		<Channel>Microsoft-Windows-WinINet/Analytic</Channel>
		<Provider>Microsoft-Windows-WinINet </Provider>
	</RenderingInfo>
</Event>
... other events
</Events>

The filter section of my config file looks like this:

filter {
    xml {
	  remove_namespaces => true
      source => "message"
	  target => "wininet"
	  store_xml => true
	  force_array => false
      xpath => [ "//Event/System/TimeCreated/@SystemTime", "SystemTime" ]
      xpath => [ "//Event/System/EventID/text()", "EventID" ]
      xpath => [ "//Event/System/Task/text()", "Task" ]
      xpath => [ "//Event/System/Opcode/text()", "Opcode" ]
      xpath => [ "//Event/System/Execution/@ProcessID", "ProcessID" ]
      xpath => [ "//Event/System/Execution/@ThreadID", "ThreadID" ]
      xpath => [ "//Event/System/Execution/@UserTime", "UserTime" ]
      xpath => [ "//Event/System/Execution/@KernelTime", "KernelTime" ]
      xpath => [ "//Event/EventData/Data[@Name='URL']/text()", "URL" ]
      xpath => [ "//Event/EventData/Data[@Name='ServerName']/text()", "ServerName" ]
      xpath => [ "//Event/EventData/Data[@Name='ConnectionHandle']/text()", "ConnectionHandle" ]
      xpath => [ "//Event/EventData/Data[@Name='Status']/text()", "Status" ]
      xpath => [ "//Event/EventData/Data[@Name='Verb']/text()", "Verb" ]
      xpath => [ "//Event/EventData/Data[@Name='RequestHeader']/text()", "RequestHeader" ]
      xpath => [ "//Event/EventData/Data[@Name='ResponseHeader']/text()", "ResponseHeader" ]
      xpath => [ "//Event/EventData/Data[@Name='ResponseCode']/text()", "ResponseCode" ]
      xpath => [ "//Event/EventData/Data[@Name='Error']/text()", "Error" ]
      xpath => [ "//Event/EventData/Data[@Name='ConnectionHandle']/text()", "ConnectionHandle" ]
      xpath => [ "//Event/RenderingInfo/Task/text()", "Task" ]
      xpath => [ "//Event/RenderingInfo/Message/text()", "Message" ]
    }
}

When I run Logstash, I get:

An unexpected error occurred! {:error=>java.lang.IllegalStateException: java.lang.ClassCastException: Cannot cast org.jruby.specialized.RubyArrayTwoObject to org.jruby.RubyString

If I comment out the configuration line referring to ConnectionHandle everything works OK, including the ingestion of ServerName. The format of the ConnectionHandle and ServerName values in the XML look the same, and the xpath parameters look the same.

What am I doing wrong?

Sorry to waste everyone's time here. Just realised, I have the xpath for ConnectionHandle defined twice.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.