0

需要提取只发送了一条短信(已接收)并且也“停止”的客户 msisdn(发件人)。日志如下 -

2018 年 5 月 27 日晚上 11:38:29.598 [2018-27-05 23:38:29.598 UTC] INFO pool-1-thread-3 [receivedSmsFileLogger] - 收到 = “JE S8 TELMA MALADE”,发件人 = “0765473387” , 有效 = "false" 主机 = Vapp01SN 源 = D:\MIP\Logs\SMSC\Cycle1\received_sms.log 源类型 = MIP_Received_SMS

2018 年 5 月 27 日晚上 9:28:30.569 [2018-27-05 21:28:30.569 UTC] INFO pool-1-thread-2 [receivedSmsFileLogger] - 收到 = "''STOP''",发件人 = "0765757431 ", 有效 = "false" 主机 = Vapp01SN 源 = D:\MIP\Logs\SMSC\Cycle1\received_sms.log 源类型 = MIP_Received_SMS

5/27/18 9:26:25.034 PM [2018-27-05 21:26:25.034 UTC] INFO pool-1-thread-1 [receivedSmsFileLogger] - 接收 =“1OUI”,发件人 =“0765757431”,有效 = “假”主机 = Vapp01SN 源 = D:\MIP\Logs\SMSC\Cycle1\received_sms.log 源类型 = MIP_Received_SMS

2018 年 5 月 27 日晚上 9:06:36.889 [2018-27-05 21:06:36.889 UTC] INFO pool-1-thread-3 [receivedSmsFileLogger] - 接收 =“STOP”,发件人 =“0766108902”,有效 = “真实”主机 = Vapp01SN 源 = D:\MIP\Logs\SMSC\Cycle1\received_sms.log 源类型 = MIP_Received_SMS

4

1 回答 1

0

Try this

index=foo sourcetype=bar 
| rex "From\s*=\s*\\"(?<msisdn>\d+)" 
| rex "Received\s*=\s*\\"(?<msg>[^\\"]+)" 
| stats count(msg) as msgCount values(msg) as Msgs by msisdn 
| where msgCount=1 AND (mvindex(0,Msgs)=="STOP")
于 2018-05-28T13:12:33.710 回答