Splunk - 检查等于我提供的任何字符串的日志
Splunk - check logs that are equal to any string I provide
我只想抓取里面有“零容忍”、“晴天霹雳”、“有变化不如休息”价值观的日志。我试过这个但它不起作用它只捕获第一个。 /description=(?零容忍 | 晴天霹雳 | 有变有静)
请记住,要检查的字符串需要由我提供。
code = random05, description=bird in the hand is worth two in the bush, level=5
code = random02, description=bolt from the blue, level=8
code = random09, description=bunch of fives, level=3
code = random05, description=A chain is only as strong as its weakest link, level=0
code = random08, description=A change is as good as a rest, level=3```
There are more logs but they are not showing.
您似乎想要匹配 description
之后包含您指定的字符串之一的所有内容。然后你可以使用
description=(?<des>.*(?:Zero tolerance|bolt from the blue|A change is as good as a rest).*)
所以,在这里,“des”组将尽可能多地匹配除换行字符以外的任何零个或多个字符,然后是指定的字符串之一(注意 |
周围的空格被删除)和然后尽可能多地使用除换行符之外的零个或多个字符。
如果您需要通过第一个逗号来限制匹配,请将 .
替换为 [^,]
。
我只想抓取里面有“零容忍”、“晴天霹雳”、“有变化不如休息”价值观的日志。我试过这个但它不起作用它只捕获第一个。 /description=(?零容忍 | 晴天霹雳 | 有变有静)
请记住,要检查的字符串需要由我提供。
code = random05, description=bird in the hand is worth two in the bush, level=5
code = random02, description=bolt from the blue, level=8
code = random09, description=bunch of fives, level=3
code = random05, description=A chain is only as strong as its weakest link, level=0
code = random08, description=A change is as good as a rest, level=3```
There are more logs but they are not showing.
您似乎想要匹配 description
之后包含您指定的字符串之一的所有内容。然后你可以使用
description=(?<des>.*(?:Zero tolerance|bolt from the blue|A change is as good as a rest).*)
所以,在这里,“des”组将尽可能多地匹配除换行字符以外的任何零个或多个字符,然后是指定的字符串之一(注意 |
周围的空格被删除)和然后尽可能多地使用除换行符之外的零个或多个字符。
如果您需要通过第一个逗号来限制匹配,请将 .
替换为 [^,]
。