logstash - 如何使用logstash删除xml中的行
问题描述
大家。我是logstash的新手。我已经在 logstash 中研究了一周的过滤器,但没有结果。我想解析xml。我有以下xml:
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<ContinentLogs>
<Cryptogateways>
<cgw id="1" cssid="0" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">ЦУС</cgw>
<cgw id="2" cssid="50556" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">DP.152FZ.DA01</cgw>
<cgw id="3" cssid="50557" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">M1.152FZ.DA01</cgw>
<cgw id="4" cssid="51358" ip="0.0.0.0" tz="RCPTZ 00:00 RCPTZS 00:00,M0.0.0/00:00:00,M0.0.0/00:00:00">3D Get</cgw>
<cgw id="5" cssid="51491" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">М1.152FZ.CUS02</cgw>
<cgw id="6" cssid="51845" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">DP.152FZ.FW01</cgw>
<cgw id="7" cssid="51847" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">M1.152FZ.FW01</cgw>
<cgw id="8" cssid="53840" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">M1.152FZ.FW02</cgw>
<cgw id="9" cssid="68604" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">TNC MIG</cgw>
<cgw id="10" cssid="69007" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">HAKR</cgw>
<cgw id="11" cssid="111846" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">ALT MOT</cgw>
<cgw id="12" cssid="111978" ip="0.0.0.0" tz="RCPTZ -3:00 RCPTZS -4:00,M0.0.0/00:00:00,M0.0.0/00:00:00">GPB RIM</cgw>
</Cryptogateways>
<FilterRules>
<rule id="-8" deleted="false">Pravil</rule>
<rule id="-5" deleted="false">(?) Neopredelen</rule>
<rule id="-3" deleted="false">Udalenni pravila</rule>
<rule id="-2" deleted="false">SD prav</rule>
<rule id="-1" deleted="false">Slygeb prav</rule>
<rule id="0" deleted="false">Ne sootvetsvyet</rule>
<rule id="17" deleted="false">Mon => Mail Server</rule>
</FilterRules>
</ContinentLogs>
我想删除该部分中具有 «cgw id="3"» и «cgw id="7"» 的行。并删除该部分中具有 «rule id="-5"» и «rule id="0"» 的行。将所有内容写回 xml 而不更改任何其他内容。帮助如何通过 Logstash 做到这一点?先感谢您。
解决方案
如果您的 logstash 正在喂 ELK,那么您的解决方案应该首先在Prune黑名单中,在 xpath 中添加您想要的项目,例如让我的 Xml 文件像
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n" />
</Console>
</Appenders>
<Loggers>
<Logger name="com.foo.Bar" level="trace">
<AppenderRef ref="Console" />
</Logger>
<Logger name="com.foo.Bar.test.2.error" level="error">
<AppenderRef ref="Console" />
</Logger>
<Root level="error">
<AppenderRef ref="Console" />
</Root>
</Loggers>
</Configuration>
现在在配置文件中使用如下过滤器。
filter {
xml {
source => "message"
store_xml => false
target => "rec"
xpath => [
"/Configuration /@status", "Configuration_LEVEL" // defining my item to delete
]
}
prune {
blacklist_names => ["Configuration_LEVEL"] // delete the item using prune blacklist
}
}
我希望它对你有所帮助。
推荐阅读
- php - 在while循环中回显类别名称
- android - Using Android Test Filter (@SmallTest, @MediumTest, @LargeTest) for Local Unit Tests
- android - I try to add firebaseUI but show error Failed to resolve: support-vector-drawable
- php - PHP - Middlewares\FastRoute 包的 nikic/FastRoute 路由
- reactjs - Laravel Mix 和 React 的 NODE_PATH 和绝对导入?
- sql - 如何在 vb.net 中搜索多个字段名称以过滤搜索 datagridview
- cucumber - How to write given, when, then for switching tabs to check login
- angular - Getting undefined error when trying to add array
- php - 将表数据的内容插入/发布到数据库中
- php - 如何用php标签替换方形标签