VOOZH about

URL: https://docs.datadoghq.com/observability_pipelines/processors/parse_xml/

⇱ Parse XML Processor

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/observability_pipelines/processors/parse_xml.md. A documentation index is available at /llms.txt.

Parse XML Processor

This product is not supported for your selected Datadog site. ().
Available for:

Logs

Overview

This processor parses Extensible Markup Language (XML) so the data can be processed and sent to different destinations. XML is a log format used to store and transport structured data. It is organized in a tree-like structure to represent nested information and uses tags and attributes to define the data. For example, this is XML data using only tags (<recipe>,<type>, and <name>) and no attributes:

<recipe>
 <type>pasta</type>
 <name>Carbonara</name>
</recipe>

This is an XML example where the tag recipe has the attribute type:

<recipe>
 <recipe type="pasta">
 <name>Carbonara</name>
</recipe>

The following image shows a Windows Event 4625 log in XML, next to the same log parsed and output in JSON. By parsing the XML log, the size of the log event was reduced by approximately 30%.

Setup

To set up this processor:

  1. Define a filter query. Only logs that match the specified filter query are processed. All logs, regardless of whether they match the filter query, are sent to the next step in the pipeline. See Search Syntax for more information.
  2. Enter the path to the log field on which you want to parse XML. Use the path notation <OUTER_FIELD>.<INNER_FIELD> to match subfields. See the Path notation example below.
  3. Optionally, in the Enter text key field, input the key name to use for the text node when XML attributes are appended. See the text key example. If the field is left empty, value is used as the key name.
  4. Optionally, select Always use text key if you want to store text inside an object using the text key even when no attributes exist.
  5. Optionally, toggle Include XML attributes on if you want to include XML attributes. You can then choose to add the attribute prefix you want to use. See attribute prefix example. If the field is left empty, the original attribute key is used.
  6. Optionally, select if you want to convert data types into numbers, Booleans, or nulls.
    • If Numbers is selected, numbers are parsed as integers and floats.
    • If Booleans is selected, true and false are parsed as Booleans.
    • If Nulls is selected, the string null is parsed as null.

Path notation example

For this log structure example:

{
 "outer_key": {
 "inner_key": "inner_value",
 "a": {
 "double_inner_key": "double_inner_value",
 "b": "b value"
 },
 "c": "c value"
 },
 "d": "d value"
}

Follow these reference rules:

  • Use outer_key.inner_key to reference the key with the value inner_value.
  • Use outer_key.a.double_inner_key to reference the key with the value double_inner_value.

To specify a nested field with a literal . in the attribute key, wrap the key in escaped quotes in the search query. For example, the search query "service.status":disabled matches the event {"service.status": "disabled"}.

Always use text key example

If Always use text key is selected, the text key is the default (value), and you have the following XML:

<recipe>
 <recipe type="pasta">
 <name>Carbonara</name>
</recipe>

The XML is converted to:

{
 "recipe": {
 "type": "pasta",
 "value": "Carbonara"
 }
}

Text key example

If the key is text and you have the following XML:

<recipe>
 <recipe type="pasta">
 <name>Carbonara</name>
</recipe>

The XML is converted to:

{
 "recipe": {
 "type": "pasta",
 "text": "Carbonara"
 }
}

Attribute prefix example

If you enable Include XML attributes, the attribute is added as a prefix to each XML attribute. For example, if the attribute prefix is @ and you have the following XML:

<recipe type="pasta">Carbonara</recipe>

Then it is converted to the JSON:

{
 "recipe": {
 "@type": "pasta",
 "<text key>": "Carbonara"
 }
}

Further reading