Multiline Filter Help to find specific field

I have an xml file that I need to ingest with Logstash, with specific fields. It has structure:

< Test>

< Type>

< Data>





< /Data>

< /Type>

< /Test>
I am trying to use multiline codec, in order to filter through the message and get the data I need with a specific pattern.

The data I only want to ingest is everything inside of < Data>…< /Data> and ignore the rest of the data.
I have following configuration, which seems to take for start each event, but ingests data until the next . I seem to get in each event < Data>< /Data> < /Test>< Test>< Type>

codec => multiline {

pattern => “.< Data>.

pattern => “<(Data)|(Data)>”

negate => true

what => “previous”

}
How to take only everything in < Data>< /Data> into account?

I managed to resolve with:

codec => multiline {

pattern => “.<( Test|Type|Data)>.

negate => true

what => “previous”
and then in filter drop anything containing:

if [message] =~ “< Test>” {

drop {}}

Same for Data.
Is there a better way with multiline to deal with this?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.