代码之家  ›  专栏  ›  技术社区  ›  Pratap A.K

splunk检查消息是否包含特定字符串

splunk-calculation splunk-query splunk devops java
  •  1
  • Pratap A.K  · 技术社区  · 6 年前

    日志消息: 

    message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...

    我想检查消息是否包含 基于此,我们想给一个变量赋值1或0

    Splunk搜索查询 

    (index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)

    成功\状态\消息始终为空

    1 回复  |  直到 6 年前
        1
  •  1
  •   RichG    6 年前

    问题的一部分是regex字符串,它与示例数据不匹配。另一个问题是不必要的 timechart 命令,它过滤掉“success\u status\u message”字段。尝试此搜索: 

    (index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex "\s-\s(?P<success_status_message>.*)" 
| eval status=if(match(success_status_message, "Connected successfully, creating telemetry consumer"), 1, 0)
    推荐文章
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号