- Packetbeat Reference: other versions:
- Packetbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Packetbeat
- Configure
- Traffic sniffing
- Network flows
- Protocols
- Processes
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Instrumentation
- packetbeat.reference.yml
- How to guides
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- ECS fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Process fields
- Raw fields
- Redis fields
- SIP fields
- Thrift-RPC fields
- Detailed TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitor
- Secure
- Visualize Packetbeat data in Kibana
- Troubleshoot
- Get help
- Debug
- Record a trace
- Common problems
- Dashboard in Kibana is breaking up data fields incorrectly
- Packetbeat doesn’t see any packets when using mirror ports
- Packetbeat can’t capture traffic from Windows loopback interface
- Packetbeat is missing long running transactions
- Packetbeat isn’t capturing MySQL performance data
- Packetbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Fields show up as nested JSON in Kibana
- Contribute to Beats
Decode XML
editDecode XML
editThe decode_xml
processor decodes XML data that is stored under the field
key. It outputs the result into the target_field
.
This example demonstrates how to decode an XML string contained in the message
field and write the resulting fields into the root of the document. Any fields
that already exist will be overwritten.
processors: - decode_xml: field: message target_field: "" overwrite_keys: true
By default any decoding errors that occur will stop the processing chain and the
error will be added to error.message
field. To ignore all errors and continue
to the next processor you can set ignore_failure: true
. To specifically
ignore failures caused by field
not existing you can set ignore_missing: true
.
processors: - decode_xml: field: example target_field: xml ignore_missing: true ignore_failure: true
By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
processors: - decode_xml: field: message target_field: xml to_lower: false
Example XML input:
<catalog> <book seq="1"> <author>William H. Gaddis</author> <title>The Recognitions</title> <review>One of the great seminal American novels of the 20th century.</review> </book> </catalog>
Will produce the following output:
{ "xml": { "catalog": { "book": { "author": "William H. Gaddis", "review": "One of the great seminal American novels of the 20th century.", "seq": "1", "title": "The Recognitions" } } } }
The supported configuration options are:
-
field
-
(Required) Source field containing the XML. Defaults to
message
. -
target_field
-
(Optional) The field under which the decoded XML will be
written. By default the decoded XML object replaces the field from which it was
read. To merge the decoded XML fields into the root of the event specify
target_field
with an empty string (target_field: ""
). Note that thenull
value (target_field:
) is treated as if the field was not set at all. -
overwrite_keys
-
(Optional) A boolean that specifies whether keys that already
exist in the event are overwritten by keys from the decoded XML object. The
default value is
true
. -
to_lower
-
(Optional) Converts all keys to lowercase. Accepts either
true
orfalse
. The default value istrue
. -
document_id
-
(Optional) XML key to use as the document ID. If configured, the
field will be removed from the original XML document and stored in
@metadata._id
. -
ignore_missing
-
(Optional) If
true
the processor will not return an error when a specified field does not exist. Defaults tofalse
. -
ignore_failure
-
(Optional) Ignore all errors produced by the processor.
Defaults to
false
.
See Conditions for a list of supported conditions.