我目前正在编写prop configure来验证我的活动
活动
Feb 03 13:22:23 Jessica-Ubuntu kernel: [ 7098.424722] usb 1-1: Manufacturer: SanDisk Feb 3 13:22:23 Jessica-Ubuntu kernel: [ 7098.424725] usb 1-1: SerialNumber: 200522427013E6812147 Feb 4 22:11:46 Jessica-Ubuntu kernel: [ 2.710593] usb 2-2.1: Product: Virtual Bluetooth Adapter Feb 4 22:11:46 Jessica-Ubuntu kernel: [ 2.710597] usb 2-2.1: SerialNumber: 000650268328
Prop.Config设置
[source::linuxusb]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec
EXTRACT-date = (?i) .*? (?P<date>\w+\s+\d+\s+\d+:\d+:\d+)\s+\w+
EXTRACT-description = (?i) Product: (?P<description>.+?)\s+\w+\s+\d+
EXTRACT-device_mfg = (?i) Manufacturer: (?P<device_mfg>[^ ]+)
EXTRACT-serial_number = (?i) SerialNumber: (?P<serial_number>.+)
SerialNumber的结果
200522427013E6812147 Feb 4 22:11:46 Jessica-Ubuntu kernel: [ 2.710593] usb 2-2.1: Product: Virtual Bluetooth Adapter Feb 4 22:11:46 Jessica-Ubuntu kernel: [ 2.710597] usb 2-2.1: SerialNumber: 000650268328`
我只想200522427013E6812147。我如何仅获取此数据。请帮忙
答案 0 :(得分:0)
假设提供的事件是4个单独的事件(查看时间戳):
Feb 03 13:22:23 Jessica-Ubuntu kernel: [ 7098.424722] usb 1-1: Manufacturer: SanDisk
Feb 3 13:22:23 Jessica-Ubuntu kernel: [ 7098.424725] usb 1-1: SerialNumber: 200522427013E6812147
Feb 4 22:11:46 Jessica-Ubuntu kernel: [ 2.710593] usb 2-2.1: Product: Virtual Bluetooth Adapter
Feb 4 22:11:46 Jessica-Ubuntu kernel: [ 2.710597] usb 2-2.1: SerialNumber: 000650268328
修改EXTRACT-serial_number,将其更改为:
EXTRACT-serial_number = (?i) SerialNumber: (?P<serial_number>[^ ]+)
此外,如果Splunk无法将上述4个事件(基于时间戳)识别为4个单独的事件,请尝试将SHOULD_LINEMENRGE更改为false。