0

I have a ELK (v5.2.1) cluster for log analysis. My index has many log messages and some of the messages contain string about the result code. The messages are like this:

2017-03-28 20:35:14,518 [http-bio-8173-exec-3] INFO  [soap] Outbound Message
ID: 2910
Response-Code: 200
Encoding: ISO-8859-1
Content-Type: application/soap+xml
Headers: {}
Payload: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><env:Header xmlns:env="http://www.w3.org/2003/05/soap-envelope"/><soap:Body><syn:getActiveUserResponse xmlns:ns2="http://somecompany.com" xmlns:ns3="http://ws.myserver.com/unibssHead" xmlns:ns4="http://ws.myserver.com/InternationUser/anyappBody/syncRoamingTrafficInfoReq" xmlns:ns5="http://ws.myserver.com/InternationUser/anyappBody" xmlns:ns6="http://ws.myserver.com/unibssAttached" xmlns:ns7="http://ws.myserver.com/InternationUser/anyappBody/syncRoamingTrafficInfoRsp" xmlns:syn="http://somecompany.com"><Result>2012</Result><Description>Something wrong</Description><TransactionID>a0431</TransactionID><Count>0</Count></syn:getActiveUserResponse></soap:Body></soap:Envelope>

I'm trying to extract the number between <Result> and </Result> from the message and calculate the amount in a certain period. Can anyone please share how to do it? I know some basic queries like 'match', 'terms', 'aggs' only. Thanks in advance!

Val
  • 207,596
  • 13
  • 358
  • 360
felixc
  • 168
  • 2
  • 11
  • Sorry the missing words after 'between' are and – felixc Mar 28 '17 at 20:45
  • Loading it using logstash would work. See [example](https://github.com/elastic/examples/tree/master/ElasticStack_NGINX) for loading nginx logs using logstash. This could help as well - https://www.elastic.co/guide/en/logstash/current/plugins-filters-xml.html – Suhas K Mar 29 '17 at 05:19
  • Thank you for the information. I do know logstash can do it. But those logs are very few part of the logs. I'm afraid that increases the system load. I'm checking analyzer or tokenizer – felixc Mar 29 '17 at 17:47

0 Answers0