Parse data as XML. Specify
field=@rawstring
to parse the
@rawstring into XML. If the specified field does not
exist, the event is skipped. If the specified field exists but contains
non-XML data, the behaviors depends on the strict parameter.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
field [a] | string | required | @rawstring | Field that should be parsed as XML. |
prefix | string | optional[b] | Prefix the name of the fields extracted from XML with the value of this parameter. | |
strict | boolean | optional[b] | false | Specifies if events where the field does not contain valid XML should be filtered out of the result set. |
Valid Values | ||||
false | All events are passed, including an error flag describing why the event parsing failed | |||
true | Events that do not contain valid XML will be filtered in the result set | |||
[b] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscaleparseXml("field")
and:
logscaleparseXml(field="field")
These examples show basic structure only; full examples are provided below.
parseXml()
Examples
If the whole event sent to LogScale is XML like this:
<log><service>userService</service><timestamp>2017-12-18T20:39:35Z</timestamp><msg>user with id=47 logged in</msg></log>
parseXml()
| parseTimestamp(field=timestamp)
If a field in the incoming event contains XML like this:
2017-12-18T20:39:35Z user id=47 logged in details="<log><service>userService</service><timestamp>2017-12-18T20:39:35Z</timestamp><msg>user with id=47 logged in</msg></log>"\n\n
In the example below, the details field is extracted using the
kvParse()
function and then
parseXml()
is used to parse the XML inside the
details field.
/(?<timestamp>\S+)/
| parseTimestamp(field=timestamp)
| kvParse()
| parseXml(field=details)