splunk - Splunk Rex：将字符串的字段提取为值

Question

我是 SPlunk 的新手，试图做一些仪表板，需要帮助来提取特定变量的字段

在我的情况下，我只想将 KB_List":"KB000119050,KB000119026,KB000119036" 值提取到一列

Expected output:

KB_List
KB000119050,KB000119026,KB000119036

我努力了：

| rex field=_raw "\*"KB_List":(?<KB_List>\d+)\*"

在日志中突出显示以下部分

svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":"","highestSeverity":"Minor ","来源":"hsym-plyfss01","re​​qEmail":"true","AlertGroup":"TIBCOP","re​​qPage":"","KB_List":"KB000119050,KB000119026,KB000119036","re​​qTicket" :"true","autoTicket":true,"SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0,"AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP"," sentPageTo":"TESTPP"},"通知":{"":{"requestId":"532938335"}},"":

Answer 1

Alas:

I figured out by looking into so many articles:

| rex "KB_List\":\"(?<KB_Listed>[^\"]+)" | table KB_Listed

Answer 2

rex field=_raw "KB_List\":\"(?<KB_List>[^\"])\""

此正则表达式将查找以 开头的任何内容，KB_List":"捕获除 a 之外的所有内容"。

在您的示例中，您仅捕获数字（\d+），而 KB_List 字段中的内容还包含字符（“KB”和“，”）