KQL初学者-我有一些CEF日志碰到了我的一台服务器,我需要进入数据以从中获取一些有意义的报告。
获取此日志-不是json,只是一个字符串
CEF:0|vendor1|vendorproduct|1.0|Event1|Event2|1|source_ip=0.0.0.0 rt=2020-04-28T04:17:05.475Z data1=example1 group=example2 endpoint=55555555 user=444444
我想访问每个字段并存储为var以便进一步查询使用。实现此目标的最佳方法是什么?正则表达式?字符串函数?
| extend vendorname = // = vendor1
| extend source_ip = // = 0.0.0.0
| extend endpoint = // = 55555555
// etc
答案 0 :(得分:2)
好的,我想出了这一点-请参见下面的KQL以实现我想要的功能:
Syslog
| where SyslogMessage has "vendor-name"
| extend logs = split(SyslogMessage, "|")
| extend vendor = logs[1]
| extend app = logs[2]
| extend version = logs[3]
| extend event = logs[4]
| extend msg = logs[5]
| parse SyslogMessage with * "source_ip=" source_ip "rt=" rt " id=" id " data1=" data1 " group=" group " endpoint=" endpoint "user=" user
| project vendor, app, version, event, msg, rt, data1, source_ip, id, group, endpoint, user