下面的语句是简单的传入消息,
AccessList<EventData>
<Data Name="AccessList">%%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 %%1538 </Data>
</EventData>
我使用以下配置抓取此文本,但在 mutate 过滤器插件中分割无法正常工作:
filter {
xml {
xpath => ["//Data[@Name='AccessList']/text()","access_text"]
}
mutate {
gsub => ["access_text" ,"\s+", ""]
gsub => ["access_text" ,"%%", ","]
gsub => ["access_text","^,",""] #Delete first comma
}
mutate {
convert => {
"access_text" => "string"
}
}
mutate {
split => {"access_text" => ","}
}
}
这是 Kibana 上的输出不分割文本:
4416,4417,4418,4419,4420,4423,4424,1538
我的预期输出是 Kibana 上这样的数组:
[4416,4417,4418,4419,4420,4423,4424,1538]
执行转换突变时,entry_text类别到字符串的转换可能会导致后续单独的突变偏离预期结果。
试试这个。
filter {
xml {
source => "message"
target => "xml_content"
xpath => ["/EventData/Data[@Name='AccessList']/text()", "access_text"]
}
mutate {
gsub => ["access_text" ,"\s+", ""]
gsub => ["access_text" ,"%%", ","]
gsub => ["access_text","^,",""] # Delete first comma
}
mutate {
split => {"access_text" => ","}
}
}