I am trying to parse the following xml data using logstash.I am able to do it by removing the namespace from tags.But when I am trying it on the actual documents which is having namespace in it, its not able to parse the fields. Can someone help with the use of namespace or whether I am going wrong somewhere else?
<Book:Body>
<Book:Head>
<bookname>Book:Name</bookname>
<ns:Hello xmlns:ns="www.example.com">
<ns:BookDetails>
<ns:ID>123456</ns:ID>
<ns:Name>ABC</ns:Name>
</ns:BookDetails>
</ns:Hello xmlns:ns="www.example.com">
</Book:Head>
</Book:Body>
Following is my config file:
multiline {
pattern => "<Book:Body>"
what => "previous"
negate => "true"
}
xml {
store_xml => "false"
source => "message"
remove_namespaces => "true"
xpath =>[
"/Book/Book/BookDetails/ID/text()","ID",
"/Book/Book/BookDetails/Name/text()","Name"
]
}
mutate {
add_field => ["IDIndexed", "%{ID}"]
add_field => ["NameIndexed", "%{Name}"]
}
As it is not getting parsed, I am just getting %{ID} and %{Name} using mutate instead of getting their actual values.
Problem is in xpath : try this
xpath => [
"/Body/head/Hello/BookD/BookDetails/ID/text()", "ID",
"/Body/head/Hello/BookD/BookDetails/Name/text()", "Name",
]