Java splunk 检查消息是否包含特定字符串
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/52441129/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
splunk check if message contains certain string
提问by Pratap A.K
In Splunk search query how to check if log message has a text or not?
在 Splunk 搜索查询中如何检查日志消息是否有文本?
Log message:
日志消息:
message: 2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...
and I want to check if message contains "Connected successfully, creating telemetry consumer ..."and based on this want to assign 1 or 0 to a variable
我想检查消息是否包含“连接成功,创建遥测消费者......”并基于此想将 1 或 0 分配给变量
Splunk search Query
Splunk 搜索查询
(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)
success_status_message is always null
success_status_message 始终为空
采纳答案by RichG
Part of the problem is the regex string, which doesn't match the sample data. Another problem is the unneeded timechartcommand, which filters out the 'success_status_message' field. Try this search:
问题的一部分是正则表达式字符串,它与示例数据不匹配。另一个问题是不需要的timechart命令,它过滤掉了“success_status_message”字段。试试这个搜索:
(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex "\s-\s(?P<success_status_message>.*)"
| eval status=if(match(success_status_message, "Connected successfully, creating telemetry consumer"), 1, 0)
