我在splunk中有这样的数据:
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 3/XYZ/true/false
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 4/AHJGS/true/false
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 3/AJJ/true/false
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 6/XYZ/true/false
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 3/XYZ/true/false
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 6/123/true/false
DEBUG demp.find - [Local-Log] Parameters name/city/isActive/: 3/HJG/true/false
我想从splunk值是动态的name查询中获得此结果,此后我不在乎任何事情
like:Parameters name/city/isActive/: {regex here to get name value},然后将其另存为新值以供用户使用。请为此指导我。
谢谢
rex field=_raw "Parameters name/city/isActive/:(?<all>(?<part1>.*)/(?<part2>.*)/(?<part3>.*)/(?<part4>.*))"