Parse data as XML. Specify field=@rawstring to parse the @rawstring into XML. If the specified field does not exist, the event is skipped. If the specified field exists but contains non-XML data, the behaviors depends on the strict parameter.

ParameterTypeRequiredDefaultDescription
field[a]stringrequired@rawstring Field that should be parsed as XML.
prefixstringoptional[b]  Prefix the name of the fields extracted from XML with the value of this parameter.
strictbooleanoptional[b]false Specifies if events where the field does not contain valid XML should be filtered out of the result set.
  Valid Values
   falseAll events are passed, including an error flag describing why the event parsing failed
   trueEvents that do not contain valid XML will be filtered in the result set

[a] The argument name field can be omitted.

[b] Optional parameters use their default value unless explicitly set

Omitted Argument Names

The argument name for field can be omitted; the following forms of this function are equivalent:

logscale
parseXml("field")

and:

logscale
parseXml(field="field")

These examples show basic structure only; full examples are provided below.

parseXml() Examples

If the whole event sent to LogScale is XML like this:

xml
<log><service>userService</service><timestamp>2017-12-18T20:39:35Z</timestamp><msg>user with id=47 logged in</msg></log>
logscale
parseXml()
| parseTimestamp(field=timestamp)

If a field in the incoming event contains XML like this:

xml
2017-12-18T20:39:35Z user id=47 logged in details="<log><service>userService</service><timestamp>2017-12-18T20:39:35Z</timestamp><msg>user with id=47 logged in</msg></log>"\n\n

In the example below, the details field is extracted using the kvParse() function and then parseXml() is used to parse the XML inside the details field.

logscale
/(?<timestamp>\S+)/
| parseTimestamp(field=timestamp)
| kvParse()
| parseXml(field=details)