提问人:Sat 提问时间:10/17/2023 最后编辑:Sat 更新时间:10/17/2023 访问量:21
如何在 Splunk 查询中提取字母数字字段并以表格形式列出它们
How to extract alpha-numeric fields in a Splunk query and list them in table form
问:
index=myIndex container_name="abc-mno-pqr" "body='{headers: {z-gip: "
对于这个 splunk 查询,我收到如下事件
[a43597-etg675-67erty3-ju87y5-0po789] | 2023-10-17 06:39:17.593 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label="PAYLOAD", metadata={source=xyz, id=abc}, body='{headers: {z-gip: BGHTTYU45, content-type:application/json}}
[b73597-o9g675-yherty3-ju87y5-0po789] | 2023-10-17 05:23:12.854 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label="PAYLOAD", metadata={source=xyz, id=abc}, body='{headers: {z-gip: GYTHRESS, content-type:application/json}}
[bn3597-mng675-67ert56-ju87y5-0po789] | 2023-10-17 04:08:45.125 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label="PAYLOAD", metadata={source=xyz, id=abc}, body='{headers: {z-gip: NJU87TGF, content-type:application/json}}
我需要编写一个 splunk 查询,它将提供交易 ID 列表以及相应的 gip 值,如下所示
| TransactionId | 吉普 |
|---|---|
| A43597-ETG675-67ERTY3-JU87Y5-0PO789 | BGHTTYU45 |
| 货号:B73597-O9G675-Yherty3-JU87Y5-0PO789 | 吉斯瑞斯 |
| BN3597-MNG675-67ERT56-JU87Y5-0PO789 | NJU87TGF |
我尝试使用一些正则表达式,但没有一个有效
答:
1赞
whng
10/17/2023
#1
| makeresults | eval _raw="[a43597-etg675-67erty3-ju87y5-0po789] | 2023-10-17 06:39:17.593 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label=\"PAYLOAD\", metadata={source=xyz, id=abc}, body='{headers: {z-gip: BGHTTYU45, content-type:application/json}}"
| rex field=_raw "^\[(?<TransactionId>[^\]]+)"
| rex field=_raw "z-gip:\s+(?<Gip>[^,]+)"
| table TransactionId,Gip
这将导致:
TransactionId Gip
a43597-etg675-67erty3-ju87y5-0po789 BGHTTYU45
您可以使用 rex 命令或字段>字段>字段提取的设置。
评论