我的 Splunk 记录了类似
[user name] [traceid] ldap authentication { “status” : “success” , “username”: “123”} MULTIEXCEPTION some text….我正在尝试 Splunk 查询,该查询以表格格式给出结果。有任何查询建议吗?
Status username
Success 123
Fail 234
正如 @rex 所写,使用
rextableindex=foo
``` Extract the status field ```
``` Triple escapes are needed because of multiple layers of processing ```
| rex "status\\\"\s*:\s*\\\"(?<status>[^\\\"]+)"
``` Extract the username field using a separate command for order-independence ```
| rex "username\\\"\s*:\s*\\\"(?<username>[^\\\"]+)"
| table status username