RemoveXML
Learn about the RemoveXML OTTL converter function.
2 minute read
The RemoveXML converter removes elements from an XML document based on an XPath query.
Syntax: RemoveXML(xml_string, xpath)
- xml_string: the bracket notation location of the XML string
- xpath: string XPath to locate the element that needs to be removed
Input
{
"_type": "log",
"timestamp": 1734576565217,
"body": "<log type=\"access\"><!-- Log entry for a web request --><details><host>172.17.15.39</host><userIdentifier>68b148de-7ce3-423c-b72d-64a4f21ecfc0</userIdentifier><timeLocal>2024-12-15T22:40:53.723160Z</timeLocal></details><requestInfo><method>POST</method><request>/styles/main.css</request><protocol>HTTP/2</protocol></requestInfo><response><status>403</status><bytesSent>1043</bytesSent></response><message>This is a sample log entry</message></log>",
"resource": {...},
"attributes": {
"decoded_body": "<log type=\"access\"><!-- Log entry for a web request --><details><host>172.17.15.39</host><userIdentifier>68b148de-7ce3-423c-b72d-64a4f21ecfc0</userIdentifier><timeLocal>2024-12-15T22:40:53.723160Z</timeLocal></details><requestInfo><method>POST</method><request>/styles/main.css</request><protocol>HTTP/2</protocol></requestInfo><response><status>403</status><bytesSent>1043</bytesSent></response><message>This is a sample log entry</message></log>"
}
}
Statement
set(attribute["trimmed_xml"], RemoveXML(attributes["decoded_body"], "/log/details"))
Output
{
"_type": "log",
"timestamp": 1734576600936,
"body": "<log type=\"access\"><!-- Log entry for a web request --><details><host>172.17.15.39</host><userIdentifier>68b148de-7ce3-423c-b72d-64a4f21ecfc0</userIdentifier><timeLocal>2024-12-15T22:40:53.723160Z</timeLocal></details><requestInfo><method>POST</method><request>/styles/main.css</request><protocol>HTTP/2</protocol></requestInfo><response><status>403</status><bytesSent>1043</bytesSent></response><message>This is a sample log entry</message></log>",
"resource": {...},
"attributes": {
"decoded_body": "<log type=\"access\"><!-- Log entry for a web request --><details><host>172.17.15.39</host><userIdentifier>68b148de-7ce3-423c-b72d-64a4f21ecfc0</userIdentifier><timeLocal>2024-12-15T22:40:53.723160Z</timeLocal></details><requestInfo><method>POST</method><request>/styles/main.css</request><protocol>HTTP/2</protocol></requestInfo><response><status>403</status><bytesSent>1043</bytesSent></response><message>This is a sample log entry</message></log>"
},
"attribute": {
"trimmed_xml": "<log type=\"access\"><!-- Log entry for a web request --><requestInfo><method>POST</method><request>/styles/main.css</request><protocol>HTTP/2</protocol></requestInfo><response><status>403</status><bytesSent>1043</bytesSent></response><message>This is a sample log entry</message></log>"
}
}
The details object was removed. For readability, the XML was changed from this:
<log type="access"> <!-- Log entry for a web request -->
<details>
<host>172.17.15.39</host>
<userIdentifier>68b148de-7ce3-423c-b72d-64a4f21ecfc0</userIdentifier>
<timeLocal>2024-12-15T22:40:53.723160Z</timeLocal>
</details>
<requestInfo>
<method>POST</method>
<request>/styles/main.css</request>
<protocol>HTTP/2</protocol>
</requestInfo>
<response>
<status>403</status>
<bytesSent>1043</bytesSent>
</response>
<message>This is a sample log entry</message>
</log>
to this:
<log type="access"> <!-- Log entry for a web request -->
<requestInfo>
<method>POST</method>
<request>/styles/main.css</request>
<protocol>HTTP/2</protocol>
</requestInfo>
<response>
<status>403</status>
<bytesSent>1043</bytesSent>
</response>
<message>This is a sample log entry</message>
</log>