我有一个Splunk日志,其中包含一条不同时间戳的消息,带有一些案例号
"message":"Welcome home user case num 1ABCD-201901-765-2 UserId - 1203 XV - 543 UserAd - 76542 Elect - 5789875 Later Code - QWERZX"
在下面的日志中,如果满足某些条件,也会在不同的时间戳打印一些日志消息
"message":"Passed First class case num 1ABCD-201901-765-2"
"message":"Failed First class case num 1ABCD-201901-765-2"
"message":"Passed Second class case num 1ABCD-201901-765-2"
"message":"Fully Failed case num 1ABCD-201901-765-2"
"message":"Saved case num 1ABCD-201901-765-2"
"message":"Not saved case num 1ABCD-201901-765-2"
"message":"Not user to us case num 1ABCD-201901-765-2"
我想在Splunk仪表板中创建一个表,使用Splunk查询查看,这些列列出了所有案例编号和详细信息
Case Num | XV | UserId | UserAd | Elect | Later Code | Passed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us
如何为这些列打印true和falsePassed First class | Passed Second class | Failed First class | Saved | Not saved | Not user to us我想为每个事例编号检查事例编号是否存在于这些日志中如果它存在,则为该列打印true否则为false
我假设您还没有为您提供的样本数据构建字段提取(除了message(,并且-所提供的-它的格式是正确的(不过,由于它似乎缺少时间戳,我可以告诉可能出了问题(
这应该会让你走上正确的道路:
index=ndx sourcetype=srctp message=*
| rex field=message "Passed (?<passed_attempt>w+)"
| rex field=message "Failed (?<failed_attempt>w+)"
| rex field=message "case num (?<case_num>S+)"
| rex field=message "(?<saved>Not saved)"
| rex field=message "(?<saved>Saved)"
| rex field=message "UserId - (?<userid>w+)"
| rex field=message "XV - (?<xv>w+)"
| rex field=message "UserAd - (?<userad>w+)"
| rex field=message "Elect - (?<elect>w+)"
| rex field=message "Later Code - (?<later_code>w+)"
| fields passed_attempt failed_attempt _time case_num xv userid elect later_code saved userad
| stats max(_time) as _time values(*) as * by userid case_num
我使用了单独的正则表达式来提取字段,因为它们更容易阅读——它们可能(也可能(组合起来更具性能。