'Can I configure filebeat decode_xml to start part way down the XML tree?
I have an XML field in my logfile that filebeat is parsing. I want to keep the original full field, but decode the field part way down.
eg:
<myfield>
<fred>
<barney>
<wilma>
...
</wilma>
</barney>
<betty>
...
</betty>
</fred>
</myfield>
So I want to keep the full <myfield> in the logs "as is", but also create a new set of individual fields using decode_xml - but I'm not interested in creating individual fields for fred, barney or betty, I just want from "wilma" down....
Is this possible?
Solution 1:[1]
So I worked it out! Hopefully this might help someone else in future... Something along the lines of:
processors:
- decode_xml:
field: message
target_field: xml
ignore_missing: true
- copy_fields:
fields:
- from: xml.myfield.fred.wilma
to: wilma
fail_on_error: false
ignore_missing: true
- drop_fields:
fields: ["xml"]
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | user13123513 |