我有一个Post查询,我想提取请求有效载荷或参数,并打印一个表。在查询中,我试图提取user_search名称字段
我已经写了一个Splunk查询,但它不为我工作
"Parameters: {"user_search"=>{"name"=>*" | rex field=_raw "/"user_search"=>{"name"=>/(?<result>.*)" | table result
I, [2021-09-23T00:46:31.172197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"aniket", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
I, [2021-09-23T00:48:31.162197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"shivam", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
I, [2021-09-23T00:52:27.171197 #44154] INFO -- : [651235bf-7ad5-4a2e-a3b8-7737a3af9fc3] Parameters: {"user_search"=>{"name"=>"tiwari", "has_primary_phone"=>"false", "query_params"=>{"searchString"=>"", "start"=>"0", "filters"=>[""]}}}
host = qa-1132-lx02source = /src/project.logsourcetype = data:log
我有两个问题
- 如何编写splunk查询来提取post查询中的请求负载
- 在我上面的查询我不确定我做错了什么。如果有人有什么建议,我将非常感激。
至少,你的正则表达式有一个错误
你有:
"/"user_search"=>{"name"=>/(?<result>.*)"
有一个额外的"/";在"=>">
这似乎拉你正在寻找的:
user_search"=>{"name"=>(?<result>.*)
编辑每个评论">我只想获取值,如aniket "从名称键">
有几种方法可以完成您所要求的操作,而哪一种更高效取决于您的环境和数据
选项1
index=ndx sourcetype=srctp ("aniket" OR "shivam")
| rex field=_raw "user_search"=>{"name"=>(?<result>.*)"
| stats count by result
选项2
index=ndx sourcetype=srctp
| rex field=_raw "user_search"=>{"name"=>(?<result>.*)"
| search result="aniket" OR result="shivam"
| stats count by result