如何在logstash中将值设置为空xml字段

时间:2016-01-21 15:11:44

标签: xml xpath logstash

我得到一些带有logstash的xml消息,我解析它以获取相关信息

if ([message] =~ /^</) {
      xml {
        source => "message"
        store_xml => false
        xpath => [
          "name(/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/*[not(self::METADATA)])","MESSAGE_TYPE",              
        ]
        target => "xml"
      }
      if ([MESSAGE_TYPE] == "") {
        mutate {
          update => { "MESSAGE_TYPE" => "EDITO" }
        }
      }
    }

我的目标是获取所有MESSAGE_TYPE,如果它为空,则将其设置为EDITO。 现在我可以在kibana中看到空信息(MESSAGE_TYPE.raw:&#34;&#34;)但是我没有看到任何EDITO MESSAGE_TYPE。

我有一些MESSAGE_TYPE:TEXTS,MATERIALS,PHOTOS但没有EDITO(只有空信息)

kibana fiels

总而言之,空字符串应该是EDITO

我已经阅读了一些文档(https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-replace https://groups.google.com/forum/#!msg/logstash-users/mKJVO6yAmSc/on9mLRtLgTYJ),但仍然没有运气

1 个答案:

答案 0 :(得分:0)

至少我有它:) 我必须安装一个logstash插件(alter:https://www.elastic.co/guide/en/logstash/current/plugins-filters-alter.html) 这里是logstash conf 

xml {
        add_field => { "genre" => "xml"}
        source => "message"
        store_xml => false
        xpath => [
          "/APIOS_MOM_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APISTAT_EVENT/IDENT/NO_EMIARTE/text()", "NO_EMIARTE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR","VECTORS",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@NAME","VECTOR_NAME",
          "/APIOS_MOM_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APISTAT_EVENT/INFO_EVENT/SENDER/text()","SENDER",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@ONLINE","ON_LINE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/VECTORS/VECTOR/@OFFLINE","OFF_LINE",
          "name(/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/*[not(self::METADATA)])","MESSAGE_TYPE",
          "/APIOS_MOM_EVENT/DATA/APIOS_EXPORT/METADATA/CODE_OFFRE_WEB/text()","OFFRE_WEB"
        ]
        target => "xml"
      }
      alter {
        condrewrite => [
          "MESSAGE_TYPE","","EDITO"
        ]
      }

现在我的EDITO消息正确

Kibana / discover tab with EDITO message

此插件将成为logstash核心的一部分(此插件提供的功能很可能在未来版本中合并到mutate过滤器中。

相关问题
最新问题