在splunk中,我有一个包含JSON数据的事件,该数据指示功能切换列表的状态。它看起来像这样
2023-01-05 15:59:00,025 INFO [com.example.FeatureToggleRepository] (executor-thread-4) {correlationId=efe2d0be-a4bc-4555-9ef3-cc640a107208, sampled=true, spanId=b200d532717a1a3b, traceId=020c59784f3f5624917ccf12defbc00a} {"featureToggles":[{"id":1,"updatedAt":"2023-01-05T14:59:00.010+00:00","createdAt":"2023-01-05T14:59:00.010+00:00","feature":"FEATURE_1","enabled":true},{"id":12,"updatedAt":"2023-01-05T14:52:46.614+00:00","createdAt":"2023-01-05T14:52:46.614+00:00","feature":"SOME_FEATURE","enabled":true}]}
我如何提取它,并在一个表与列id,功能和启用?
我已经试了无数的例子,但似乎就是行不通。
谢谢。编辑:
这就是我最后做的
...query...
| rex field=_raw max_match=0 "idW+(?<id>d+)"
| rex field=_raw max_match=0 "updatedAtW+(?<updated>[^"]+)"
| rex field=_raw max_match=0 "createdAtW+(?<created>[^"]+)"
| rex field=_raw max_match=0 "featureW+(?<feature>[^"]+)"
| rex field=_raw max_match=0 "enabledW+(?<enabled>w+)"
| eval an_event=mvzip(mvzip(mvzip(mvzip(id,updated,";"),created,";"),feature,";"),enabled,";")
| fields - id updated created feature enabled
| mvexpand an_event
| rex field=an_event "(?<id>[^;]+);(?<updated>[^;]+);(?<created>[^;]+);(?<feature>[^;]+);(?<enabled>.+)"
| table id feature enabled
我怀疑类似下面的东西会起作用-但是您最好将这些数据作为正确的JSON(因此Splunk会本地处理它),或者修复您的props.conf和transforms.conf
| rex field=_raw max_match=0 "idW+(?<id>d+)"
| rex field=_raw max_match=0 "updatedAtW+(?<updated>[^"]+)"
| rex field=_raw max_match=0 "createdAtW+(?<created>[^"]+)"
| rex field=_raw max_match=0 "featureW+(?<feature>[^"]+)"
| rex field=_raw max_match=0 "enabledW+(?<enabled>w+)"
这些都将是多值字段-所以你可能需要mvzip,然后mvexpand它们出来(之后重新提取),像这样:
| eval an_event=mvzip(mvzip(mvzip(mvzip(id,updated,";"),created,";"),feature,";"),enabled,";")
| fields - id updated created feature enabled
| mvexpand an_event
| rex field=an_event "(?<id>[^;]+);(?<updated>[^;]+);(?<created>[^;]+);(?<feature>[^;]+);(?<enabled>.+)"
@warren的回答很好。下面是提取字段的另一种方法。
``` Extract the JSON body ```
| rex "(?<json>{\"featureToggles.*})"
``` Parse the JSON ```
| spath input=json
``` Make the field name easier to manage ```
| rename featureToggles{}.* as *
| table id feature enabled
正如@warren所说,您可能需要使用mvzip和mvexpand将字段分解为单独的事件。