从 splunk 中提取数据
Extract data from splunk
我有一个 Post 查询,我想在其中提取请求负载或参数并打印 table。在查询中,我试图提取 user_search name 字段
我写了一个 Splunk 查询,但它对我不起作用
"Parameters: {\"user_search\"=>{\"name\"=>*" | rex field=_raw "/\"user_search\"=>{\"name\"=>/(?<result>.*)" | table result
Splunk 数据
I, [2021-09-23T00:46:31.172197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"aniket", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
I, [2021-09-23T00:48:31.162197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"shivam", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
I, [2021-09-23T00:52:27.171197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"tiwari", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
我有 2 个问题
- 如何编写 splunk 查询以提取 post 查询中的请求负载
- 在我上面的查询中,我不确定我做错了什么。如果有人有任何建议,我将不胜感激。
至少你的正则表达式有错误
你有:
"/\"user_search\"=>{\"name\"=>/(?<result>.*)"
在“=>”之后多了一个“/”
This好像拉到了你要找的东西:
user_search\"=>{\"name\"=>(?<result>.*)
根据评论进行编辑“我只想从名称键中获取诸如 aniket 和 shivam 的值”
有几种方法可以满足您的要求,哪种方法更有效取决于您的环境和数据
选项 1
index=ndx sourcetype=srctp ("aniket" OR "shivam")
| rex field=_raw "user_search\"=>{\"name\"=>(?<result>.*)"
| stats count by result
选项 2
index=ndx sourcetype=srctp
| rex field=_raw "user_search\"=>{\"name\"=>(?<result>.*)"
| search result="aniket" OR result="shivam"
| stats count by result
我有一个 Post 查询,我想在其中提取请求负载或参数并打印 table。在查询中,我试图提取 user_search name 字段
我写了一个 Splunk 查询,但它对我不起作用
"Parameters: {\"user_search\"=>{\"name\"=>*" | rex field=_raw "/\"user_search\"=>{\"name\"=>/(?<result>.*)" | table result
Splunk 数据
I, [2021-09-23T00:46:31.172197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"aniket", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
I, [2021-09-23T00:48:31.162197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"shivam", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
I, [2021-09-23T00:52:27.171197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"tiwari", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
我有 2 个问题
- 如何编写 splunk 查询以提取 post 查询中的请求负载
- 在我上面的查询中,我不确定我做错了什么。如果有人有任何建议,我将不胜感激。
至少你的正则表达式有错误
你有:
"/\"user_search\"=>{\"name\"=>/(?<result>.*)"
在“=>”之后多了一个“/”
This好像拉到了你要找的东西:
user_search\"=>{\"name\"=>(?<result>.*)
根据评论进行编辑“我只想从名称键中获取诸如 aniket 和 shivam 的值”
有几种方法可以满足您的要求,哪种方法更有效取决于您的环境和数据
选项 1
index=ndx sourcetype=srctp ("aniket" OR "shivam")
| rex field=_raw "user_search\"=>{\"name\"=>(?<result>.*)"
| stats count by result
选项 2
index=ndx sourcetype=srctp
| rex field=_raw "user_search\"=>{\"name\"=>(?<result>.*)"
| search result="aniket" OR result="shivam"
| stats count by result