Splunk - 检查与我提供的任何字符串相同的日志
我只想捕获包含“零容忍”、“晴天霹雳”、“改变与休息一样好”等值的日志。我已经尝试过这个,但它不起作用,它只捕获了第一个。 /description=(?零容忍 | 晴天霹雳 | 改变和休息一样好)
请记住,要检查的字符串需要由我提供。
code = random05, description=bird in the hand is worth two in the bush, level=5
code = random02, description=bolt from the blue, level=8
code = random09, description=bunch of fives, level=3
code = random05, description=A chain is only as strong as its weakest link, level=0
code = random08, description=A change is as good as a rest, level=3```
There are more logs but they are not showing.
I want to capture only the logs that hold the values of "Zero tolerance", "bolt from the blue", "A change is as good as a rest" inside. I've tried with this but it doesn't work it only captures the first one. /description=(?Zero tolerance | bolt from the blue | A change is as good as a rest)
Have in mind that the strings to check needs to be provided by me.
code = random05, description=bird in the hand is worth two in the bush, level=5
code = random02, description=bolt from the blue, level=8
code = random09, description=bunch of fives, level=3
code = random05, description=A chain is only as strong as its weakest link, level=0
code = random08, description=A change is as good as a rest, level=3```
There are more logs but they are not showing.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看起来您想要匹配
description之后包含您指定的字符串之一的任何内容。然后您可以使用所以,这里,“des”组将尽可能匹配除了换行符之外的任何零个或多个字符,然后指定的字符串之一(注意
|周围的空格被删除) ),然后再次是除换行符之外的尽可能多的任何零个或多个字符。如果需要通过第一个逗号限制匹配,请将
.替换为[^,]。It looks like you want to match anything after
descriptionthat contains one of the strings you specified. You can then useSo, here, "des" group will match any zero or more chars other than line break chars as many as possible, then one of the specified strings (note the spaces around
|are removed) and then again any zero or more chars other than line break chars as many as possible.If you need to limit the match by the first comma, replace
.with[^,].