如何通过正则表达式从日志(Splunk)获取端口号:
{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"**eth-0-36**"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}
端口符号可能因设备而异:
Eth1 / 1.2; Eth1 / 2.500; eth-0-19 / 4; eth-0-4; Eth1 / 4
我尝试过\W+((?i)Eth....(?-i))\W+
,但在Splunk中不起作用。
为了匹配不同的格式,您可以使用:
\beth\d*(?:-\d+)*(?:/\d+(?:\.\d+)?)?\b
\b
字边界eth\d*
匹配一个0+数字(?:-\d+)*
重复0+次-和1+数字(?:
非捕获组/\d+(?:\.\d+)?
匹配/
,1个以上的数字,以及可选的.
和1个以上的数字)?
关闭非捕获组并使其为可选]\b
字边界这应该起作用:
(?<=")[Ee]th.*?(?=")
它只查找2个引号之间的eth字符串。但是,如果您希望对所提供的测试用例更加严格,则@TheFourthBird的答案可能会更好