我是SPlunk的新手,尝试做一些仪表板,需要帮助提取特定变量的字段
在我的情况下,我只想将KB_List":"KB000119050,KB000119026,KB000119036"值提取到列
Expected output:
KB_List
KB000119050,KB000119026,KB000119036
我试过了:
| rex field=_raw "*"KB_List":(?<KB_List>d+)*"
在日志中突出显示了以下部分
svc_log_ERROR","Impact":4.0,"CategoryId":"94296c474f356a0009019ffd0210c738","hasKBList":"true","lastNumOfAlerts":1,"splunkURL":false,"impactedInstances":","highestSeverity":"Minor","Source":"hsym-plyfss01","reqEmail":"true","AlertGroup":"TIBCOP","reqPage":"26,KB000119036","reqTicket":"true","autoTicket":true","SupportGroup":"TESTPP","Environment":"UAT","Urgency":4.0","AssetId":"AST000000000159689","LiveSupportGroup":"TESTPP","sentPageTo":"TESTPP"},"Notification":{":{
rex field=_raw "KB_List":"(?<KB_List>[^"])""
这个正则表达式将查找以KB_List":"开头的任何内容,即捕获除"之外的所有内容。
在您的示例中,您只捕获数字(d+(,而KB_List字段中的内容也包含字符("KB"one_answers","(
唉:
我通过查看这么多文章发现:
| rex "KB_List":"(?<KB_Listed>[^"]+)" | table KB_Listed