1

我有一个 Splunk 日志,其中包含一条不同时间戳的消息,带有一些案例编号

"message":"Welcome home user case num 1ABCD-201901-765-2  UserId - 1203 XV - 543 UserAd - 76542 Elect - 5789875 Later Code - QWERZX"

在下面的日志中,如果满足某些条件,也会以不同的时间戳打印一些日志消息

"message":"Passed First class case num 1ABCD-201901-765-2"

"message":"Failed First class case num 1ABCD-201901-765-2"

"message":"Passed Second class case num 1ABCD-201901-765-2"

"message":"Fully Failed case num 1ABCD-201901-765-2"

"message":"Saved case num 1ABCD-201901-765-2"

"message":"Not saved case num 1ABCD-201901-765-2"

"message":"Not user to us case num 1ABCD-201901-765-2"

我想在 Splunk 仪表板中创建一个表,以使用带有这些列的 Splunk 查询列出所有案例编号以及详细信息

Case Num | XV | UserId | UserAd | Elect | Later Code | Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us

如何打印这些列  Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us的真假

4

1 回答 1

0

我假设您还没有为您提供的示例数据构建字段提取(除了message),并且 -如所提供的那样- 它的格式正确(不过,由于它似乎缺少时间戳,我可以告诉一些事情可能有问题)

这应该让你走上正确的道路:

index=ndx sourcetype=srctp message=*
| rex field=message "Passed (?<passed_attempt>\w+)"
| rex field=message "Failed (?<failed_attempt>\w+)"
| rex field=message "case num (?<case_num>\S+)"
| rex field=message "(?<saved>Not saved)"
| rex field=message "(?<saved>Saved)"
| rex field=message "UserId - (?<userid>\w+)"
| rex field=message "XV - (?<xv>\w+)"
| rex field=message "UserAd - (?<userad>\w+)"
| rex field=message "Elect - (?<elect>\w+)"
| rex field=message "Later Code - (?<later_code>\w+)"
| fields passed_attempt failed_attempt _time case_num xv userid elect later_code saved userad
| stats max(_time) as _time values(*) as * by userid case_num

我使用单独的正则表达式来提取字段,因为它们更容易阅读——它们可能(或可能不会)组合起来更高效。

于 2022-02-08T15:21:24.450 回答