当前位置: 文江博客话题详情

如何在 Splunk 中使用霸王龙的令牌?

发布于 2025-01-19 00:32:39 字数 3740 浏览 0 评论 0原文

我在仪表板中设置了一个令牌 $token_rex$

<set>mvjoin(mvmap('token_keywords_mv',"(?&lt;".'token_keywords_mv'."&gt;".'token_keywords_mv'."+?)"), "|")</set>

token_keyrowrds_mv 基本上如下:

lorem
ipsum
situs

生成的令牌如下所示:

(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)

我尝试运行的查询是如下:

index=* | rex field _raw "(?i)".$token_rex$

理想情况下,上面应该像这样呈现:

index=* | rex field _raw "(?i)(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)"

我尝试使用令牌过滤器 $token_rex|s$$token_rex|n$ 但都不起作用。我什至尝试从子搜索返回值:

index=* | rex field _raw [| makeresults | eval string_rex=$token_rex$ | return $token_rex]

更新:发现令牌被作为 rex 命令的详细给出。我的令牌设置如下:

<set token="token_rex">mvjoin(mvmap('token_keywords_mv',"(?&gt;".'token_keywords_mv'."&lt;".'token_keywords_mv'."+?)"), "|")</set>

当我将其用作 ... | rex field=_raw '(?i)$token_rex$' 它给了我以下错误:

“rex”命令中的错误:编译正则表达式 ''(?i)mvjoin(mvmap('token_keywords_mv'': Regex: 缺少右括号) 时遇到以下错误。

但是,当我直接将其设置为值时,它可以工作:

<set token="token_rex">(?&lt;lorem&gt;lorem+?)|(?&lt;ipsum&gt;ipsum+?)|(?&lt;situs&gt;situs+?)</set>

更新:这是一个示例仪表板,

<dashboard theme="dark">
  <init>
    <set token="token_keywords_mv">split("lorem,ipsum,situs", ",")</set>
    <set token="token_keywords_starred">"*".mvjoin($token_keywords_mv$, "* OR *")."*"</set>
    <set token="token_rex">"(?i)".mvjoin(mvmap('token_keywords_mv', "(?&lt;".'token_keywords_mv'."&gt;".'token_keywords_mv'."+?)"), "|")</set>
    <set token="token_raw">(?&lt;lorem&gt;lorem+?)|(?&lt;ipsum&gt;ipsum+?)|(?&lt;situs&gt;situs+?)</set>
  </init>
  <label>Test Search</label>
  <description>Multivalue</description>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* 
    [| makeresults 
    | eval string_search=$token_keywords_starred$ 
    | return $string_search] 
| rex field=_raw $token_raw|s$ 
| stats count(lorem) AS Lorem, count(ipsum) AS Ipsum, count(situs) AS Situs
| eval header="Count" 
| transpose column_name="String" header_field=header</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>ECHO</title>
        <search>
          <query>| localop 
| makeresults 
| eval token_keywords_starred=$token_keywords_starred$, token_keywords_mv=$token_keywords_mv$, token_rex=$token_rex$, token_raw=$token_raw|s$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

如果任何其他令牌替换 $token_raw|s$,则使用 Splunk 时会出现错误。 8.0.3。

原文

I have a token $token_rex$ set up as follows in the dashboard:

<set>mvjoin(mvmap('token_keywords_mv',"(?<".'token_keywords_mv'.">".'token_keywords_mv'."+?)"), "|")</set>

token_keyrowrds_mv is basically the following:

lorem
ipsum
situs

The resulting token looks like this:

(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)

The query I am trying to run is as follows:

index=* | rex field _raw "(?i)".$token_rex$

Ideally the above should be rendered like so:

index=* | rex field _raw "(?i)(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)"

I have tried using the token filters $token_rex|s$ and $token_rex|n$ but neither work. I have even tried to return the value from a subsearch:

index=* | rex field _raw [| makeresults | eval string_rex=$token_rex$ | return $token_rex]

Update: Found out that the token is being given as verbose to the rex command. My token is set as follows:

<set token="token_rex">mvjoin(mvmap('token_keywords_mv',"(?>".'token_keywords_mv'."<".'token_keywords_mv'."+?)"), "|")</set>

When I used it as ... | rex field=_raw '(?i)$token_rex$' it gives me the following error:

Error in 'rex' command: Encountered the following error while compiling the regex ''(?i)mvjoin(mvmap('token_keywords_mv'': Regex: missing closing parenthesis.

When I set it as the value directly, however, it works:

<set token="token_rex">(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)</set>

Update: Here's a sample dashboard.

<dashboard theme="dark">
  <init>
    <set token="token_keywords_mv">split("lorem,ipsum,situs", ",")</set>
    <set token="token_keywords_starred">"*".mvjoin($token_keywords_mv$, "* OR *")."*"</set>
    <set token="token_rex">"(?i)".mvjoin(mvmap('token_keywords_mv', "(?<".'token_keywords_mv'.">".'token_keywords_mv'."+?)"), "|")</set>
    <set token="token_raw">(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)</set>
  </init>
  <label>Test Search</label>
  <description>Multivalue</description>
  <row>
    <panel>
      <table>
        <search>
          <query>index=* 
    [| makeresults 
    | eval string_search=$token_keywords_starred$ 
    | return $string_search] 
| rex field=_raw $token_raw|s$ 
| stats count(lorem) AS Lorem, count(ipsum) AS Ipsum, count(situs) AS Situs
| eval header="Count" 
| transpose column_name="String" header_field=header</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>ECHO</title>
        <search>
          <query>| localop 
| makeresults 
| eval token_keywords_starred=$token_keywords_starred$, token_keywords_mv=$token_keywords_mv$, token_rex=$token_rex$, token_raw=$token_raw|s
lt;/query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

If any other token replaces $token_raw|s$, there will be an error. Using Splunk 8.0.3.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
扫码二维码加入Web技术交流群
发布评论
 
需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
   
评论(1
凉城凉梦凉人心 2025-01-26 00:32:39
当我尝试使用此仪表板代码重现您的结果时:
<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="text" token="token_rex">
      <label>field1</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>test</title>
        <search>
          <query>| makeresults | eval _raw="lorem ipsum dolor"
| rex "(?i)$token_rex$"
|  table lorem ipsum situs</query>
          <earliest>$earliest
lt;/earliest>
          <latest>$latest
lt;/latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

我会得到此优化的搜索(由工作检查员报告):
| makeresults | rex field=_raw "(?i)(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)"

看来不需要串联。
更新:将所有set标签更改为est,并使用mvzip而不是mvmapset标签未计算,而eval标签确实。
    <eval token="token_keywords_mv">split("lorem,ipsum,situs", ",")</eval>
    <eval token="token_keywords_starred">"*".mvjoin($token_keywords_mv$, "* OR *")."*"</eval>
    <eval token="token_rex">"(<".mvjoin(mvzip('token_keywords_mv','token_keywords_mv',">"),"+?)|(?<")."+?)"</eval>
    <set token="token_raw">(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)</set>

When I try to reproduce your results with this dashboard code:
<form>
  <label>test</label>
  <fieldset submitButton="false">
    <input type="text" token="token_rex">
      <label>field1</label>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <title>test</title>
        <search>
          <query>| makeresults | eval _raw="lorem ipsum dolor"
| rex "(?i)$token_rex
quot;
|  table lorem ipsum situs</query>
          <earliest>$earliest
lt;/earliest>
          <latest>$latest
lt;/latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

I get this optimized search (as reported by Job Inspector):
| makeresults | rex field=_raw "(?i)(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)"

It looks like the concatenation is not needed.
Update: Change all the set tags to eval and use mvzip instead of mvmap. The set tag does not compute, while the eval tag does.
    <eval token="token_keywords_mv">split("lorem,ipsum,situs", ",")</eval>
    <eval token="token_keywords_starred">"*".mvjoin($token_keywords_mv$, "* OR *")."*"</eval>
    <eval token="token_rex">"(<".mvjoin(mvzip('token_keywords_mv','token_keywords_mv',">"),"+?)|(?<")."+?)"</eval>
    <set token="token_raw">(?<lorem>lorem+?)|(?<ipsum>ipsum+?)|(?<situs>situs+?)</set>

 回复 原文 
~没有更多了~
关于作者
 ↙温凉少女
暂无简介
 文章
 评论
25 人气
 发私信
相关话题
更多 
热门标签
操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多 
推荐作者
琉璃梦幻
文章 0 评论 0
qq_4zWU6L
文章 0 评论 0
话少情深
文章 0 评论 0
西西弗的石头怪
文章 0 评论 0
彻夜缠绵
文章 0 评论 0
千寻…
文章 0 评论 0
更多 
友情链接
文江博客
       
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
     
    原文