在 splunk 中搜索唯一 IP
Search for unique IP's in splunk
我有这样的 splunk 数据:
{"@timestamp":"2019-02-26T05:12:30.090+00:00","@version":"1","message":"\n================>\nRequest
Details:\n[requestId:abc118f2-qqff-10bb-a900-33cc9b88e333]\n[requestMethod
= GET]\n[requestUrl = http://test.api.tmp.com/rawQuantities]\n[requestHeaders =
{testing-id=Root=abc-123-xyz, x-forwarded-proto=https,
host=test.api.tmp.com, x-forwarded-port=443,
content-type=application/json, x-forwarded-for=xx.xx.xx.xx,
accept-encoding=gzip,deflate, accept=application/json,
user-agent=Apache-HttpClient/4.5.2
(Java/1.8.0_181)}]\n[requestBodySize: 0]\n<================>\n ... ...
}
IP为:x-forwarded-for=xx.xx.xx.xx
我只想过滤掉所有唯一 IP。
我试过一些组合,例如:
index=api_dev sourcetype="test-api" message="*" | spath output=field path=_raw.requestDetails.x-forwarded-for
index=api_dev sourcetype="test-api" message=x-forwarded-for*
您可以按如下方式筛选:
index=test_dev sourcetype="test-api" | rex field=message "x-forwarded-for=(?P<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | search test_ip="*"
我有这样的 splunk 数据:
{"@timestamp":"2019-02-26T05:12:30.090+00:00","@version":"1","message":"\n================>\nRequest Details:\n[requestId:abc118f2-qqff-10bb-a900-33cc9b88e333]\n[requestMethod = GET]\n[requestUrl = http://test.api.tmp.com/rawQuantities]\n[requestHeaders = {testing-id=Root=abc-123-xyz, x-forwarded-proto=https, host=test.api.tmp.com, x-forwarded-port=443, content-type=application/json, x-forwarded-for=xx.xx.xx.xx, accept-encoding=gzip,deflate, accept=application/json, user-agent=Apache-HttpClient/4.5.2 (Java/1.8.0_181)}]\n[requestBodySize: 0]\n<================>\n ... ... }
IP为:x-forwarded-for=xx.xx.xx.xx
我只想过滤掉所有唯一 IP。
我试过一些组合,例如:
index=api_dev sourcetype="test-api" message="*" | spath output=field path=_raw.requestDetails.x-forwarded-for
index=api_dev sourcetype="test-api" message=x-forwarded-for*
您可以按如下方式筛选:
index=test_dev sourcetype="test-api" | rex field=message "x-forwarded-for=(?P<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | search test_ip="*"