当前位置: 文江博客话题详情

使用Kibana和Logstash在网格中显示XML数据

发布于 2025-01-31 09:25:12 字数 1266 浏览 3 评论 0原文

我想使用Logstash和Kibana以网格格式显示XML数据。使用以下conf文件,我能够将数据显示到网格中,但无法将行数据拆分。 示例:

输出

“预期结果”

logstash.conf文件:

input {
 file {
path => "C:/ELK Stack/logstash-8.2.0-windows-x86_64/logstash-8.2.0/Test.xml"
start_position => "beginning"  
sincedb_path => "NUL"
codec => multiline {
pattern => "^<?stations.*>"
negate => "true"
what => "previous"
auto_flush_interval => 1
max_lines => 3000   
}}}

filter
{
 xml
   {
    source => "message"
    target => "parsed"
    store_xml => "false"
    xpath => [
        "/stations/station/id/text()", "station_id",
        "/stations/station/name/text()", "station_name"
    ]
}
mutate {
   remove_field => [ "message"]
}
}
output {  
elasticsearch {
    action => "index"
    hosts => "localhost:9200"
     index => "logstash_index123xml"
    workers => 1
}
stdout {
codec => rubydebug
}

}

原文

I wanted to display XML data using logstash and Kibana in grid format. using below conf file I am able to display data into grid but not able to split row data.
Example:

enter image description here

Output

Expected Result

logstash.conf file :

input {
 file {
path => "C:/ELK Stack/logstash-8.2.0-windows-x86_64/logstash-8.2.0/Test.xml"
start_position => "beginning"  
sincedb_path => "NUL"
codec => multiline {
pattern => "^<?stations.*>"
negate => "true"
what => "previous"
auto_flush_interval => 1
max_lines => 3000   
}}}

filter
{
 xml
   {
    source => "message"
    target => "parsed"
    store_xml => "false"
    xpath => [
        "/stations/station/id/text()", "station_id",
        "/stations/station/name/text()", "station_name"
    ]
}
mutate {
   remove_field => [ "message"]
}
}
output {  
elasticsearch {
    action => "index"
    hosts => "localhost:9200"
     index => "logstash_index123xml"
    workers => 1
}
stdout {
codec => rubydebug
}

}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

仅冇旳回忆 2025-02-07 09:25:12

XPath将始终返回数组,以将您需要使用Ruby过滤器的两个数组的成员关联。要获取多个事件,您可以使用拆分过滤器来拆分您在Ruby过滤器中构建的数组。如果您从开始

<stations> 
<station> 
<id>1</id> 
<name>a</name> 
<id>2</id>
<name>b</name> 
</station> 
</stations>

,则如果您

    xml {
        source => "message"
        store_xml => "false"
        xpath => {
            "/stations/station/id/text()" => "[@metadata][station_id]"
            "/stations/station/name/text()" => "[@metadata][station_name]"
        }
        remove_field => [ "message" ]
    }
    ruby {
        code => '
            ids = event.get("[@metadata][station_id]")
            names = event.get("[@metadata][station_name]")
            if ids.is_a? Array and names.is_a? Array y and ids.length == names.length
                a = []
                ids.each_index { |x|
                    a << { "station_name" => names[x], "station_id" => ids[x] }
                }
                event.set("[@metadata][theData]", a)
            end
        '
    }
    if [@metadata][theData] {
        split {
            field => "[@metadata][theData]"
            add_field => {
                "station_name" => "%{[@metadata][theData][station_name]}"
                "station_id" => "%{[@metadata][theData][station_id]}"
            }
        }
    }

使用

{
    "station_name" => "a",
      "station_id" => "1",
    ...
}
{
    "station_name" => "b",
      "station_id" => "2",
    ...
}

xpath will always return arrays, to associate the members of the two arrays you are going to need to use a ruby filter. To get multiple events you can use a split filter to split an array which you build in the ruby filter. If you start with

<stations> 
<station> 
<id>1</id> 
<name>a</name> 
<id>2</id>
<name>b</name> 
</station> 
</stations>

then if you use

    xml {
        source => "message"
        store_xml => "false"
        xpath => {
            "/stations/station/id/text()" => "[@metadata][station_id]"
            "/stations/station/name/text()" => "[@metadata][station_name]"
        }
        remove_field => [ "message" ]
    }
    ruby {
        code => '
            ids = event.get("[@metadata][station_id]")
            names = event.get("[@metadata][station_name]")
            if ids.is_a? Array and names.is_a? Array y and ids.length == names.length
                a = []
                ids.each_index { |x|
                    a << { "station_name" => names[x], "station_id" => ids[x] }
                }
                event.set("[@metadata][theData]", a)
            end
        '
    }
    if [@metadata][theData] {
        split {
            field => "[@metadata][theData]"
            add_field => {
                "station_name" => "%{[@metadata][theData][station_name]}"
                "station_id" => "%{[@metadata][theData][station_id]}"
            }
        }
    }

You will get two events

{
    "station_name" => "a",
      "station_id" => "1",
    ...
}
{
    "station_name" => "b",
      "station_id" => "2",
    ...
}
回复 原文
~没有更多了~

关于作者

我恋#小黄人

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文