0

我有一条 XML 格式的消息。

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2020-02-11T01:31:11.322195100Z'/><EventRecordID>66919</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='596'/><Channel>System</Channel><Computer>EC2AMAZ-B4Q4STJ</Computer><Security/></System><EventData><Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>running</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0034000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Windows Modules Installer service entered the running state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>

我想从消息中提取字段名称。我试过这样的事情:

fields @timestamp | parse @message "Name=*" as ProviderName

结果给了我一切:

'Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2020-02-11T01:31:11.322195100Z'/><EventRecordID>66919</EventRecordID><Correlation/><Execution ProcessID='560' ThreadID='596'/><Channel>System</Channel><Computer>EC2AMAZ-B4Q4STJ</Computer><Security/></System><EventData><Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>running</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0034000000</Binary></EventData><RenderingInfo Culture='en-US'><Message>The Windows Modules Installer service entered the running state.</Message><Level>Information</Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider>Microsoft-Windows-Service Control Manager</Provider><Keywords><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>
4

2 回答 2

3

像这样的东西应该工作:

fields  @message
| parse @message /.*Provider Name='(?<ProviderName>.*?)'.*/
于 2020-02-11T13:28:14.740 回答
0

@Hector,您可以使用以下查询解析 eventid:

fields @timestamp, @message
| sort @timestamp desc
| parse @message /(?<@eventid>(?<=<EventID>).*(?=<\/EventID))/
| filter @eventid = "<event_id_to_filter>"
于 2021-07-15T12:16:11.320 回答