Splunk - 检查等于我提供的任何字符串的日志

Splunk - check logs that are equal to any string I provide

我只想抓取里面有“零容忍”、“晴天霹雳”、“有变化不如休息”价值观的日志。我试过这个但它不起作用它只捕获第一个。 /description=(?零容忍 | 晴天霹雳 | 有变有静)

请记住,要检查的字符串需要由我提供。

  code = random05, description=bird in the hand is worth two in the bush, level=5
  code = random02, description=bolt from the blue, level=8
  code = random09, description=bunch of fives, level=3
  code = random05, description=A chain is only as strong as its weakest link, level=0
  code = random08, description=A change is as good as a rest, level=3```

There are more logs but they are not showing.

您似乎想要匹配 description 之后包含您指定的字符串之一的所有内容。然后你可以使用

description=(?<des>.*(?:Zero tolerance|bolt from the blue|A change is as good as a rest).*)

所以,在这里,“des”组将尽可能多地匹配除换行字符以外的任何零个或多个字符,然后是指定的字符串之一(注意 | 周围的空格被删除)和然后尽可能多地使用除换行符之外的零个或多个字符。

如果您需要通过第一个逗号来限制匹配,请将 . 替换为 [^,]