我有一个要求,我需要从 splunk 日志中提取部分 JSON 代码并将该字段分配给 spath 以获得进一步的结果
我的正则表达式在 regex101 中工作,但不在 splunk 中
下面是日志片段——寻找从 {"unique_appcodes 到行尾的 JSON 代码。我在帖子下面显示了预期的输出
cwmessage: 2021-08-26 17:14:10 araeapp INFO MRC: Unique AppCodes Report requested.
2021-08-26 17:14:10 araeapp INFO MRC_ARAE_I_042: (local) requesting uniq_appcodes report for KKA
2021-08-26 17:14:10 araeapp INFO {"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]}
雷克斯使用:
| rex field=_raw (?msi)(?<json_field>\{\"unique_appcodes\".+\}$)
这在 regex101.com 中完美运行,它正在提取以下所需部分,但是当我在 SPlunk 中使用它时,它没有给出任何结果,我认为它是 JSON 属性之间的空格
请让我知道你的想法
{"unique_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "KKA"}, {"count": 2, "app_code": "QQQ", "group": "TSR05441", "instance": "KKA"}, {"count": 1, "app_code": "QQQ", "group": "", "instance": "KKA"}, {"count": 192, "app_code": "PPP", "group": "TSR05560", "instance": "KKA"}, {"count": 12, "app_code": "PPP", "group": "", "instance": "KKA"}, {"count": 12, "app_code": "GM9", "group": "TSR06083", "instance": "KKA"}, {"count": 139, "app_code": "ZZZ", "group": "TSR06103", "instance": "KKA"}, {"count": 6, "app_code": "GNA", "group": "TSR06085", "instance": "KKA"}, {"count": 803, "app_code": "SSS", "group": "MXXX0718", "instance": "KKA"}, {"count": 3, "app_code": "SSS", "group": "", "instance": "KKA"}]}