我有一个powershell脚本,可以将数据写入MS SQL数据库。 我使用命令 get-winevent 。
行@Configuration
@EnableWebMvc
@EnableSwagger2
public class SwaggerConfig extends WebMvcConfigurerAdapter {
@Bean
public Docket api() {
// @formatter:off
return new Docket(DocumentationType.SWAGGER_2)
.useDefaultResponseMessages(false)
.pathMapping("/")
.select()
.apis(RequestHandlerSelectors.any())
.build().apiInfo(apiInfo());
}
private ApiInfo apiInfo() {
return new ApiInfoBuilder().title("Rest API")
.description("Describes the restful interface")
.build();
}
@Override
public void addResourceHandlers(final ResourceHandlerRegistry registry) {
registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
}
}
非常长,包含不需要的数据e.q. SID等。
如何剪切此命令的输出?
更新
代码段如下:
Message控制台中的输出如下所示:
LevelDisplayName:信息
LogName:安全
TaskDisplayName:用户帐户管理
TimeCreated:18.07.2016 11:55:42
消息:帐户名称:username_xxx帐户域:
如何在$events = Get-WinEvent @{LogName = "System"; ID = 4726} | select LevelDisplayName, LogName, TaskDisplayName, TimeCreated,@{N='Message';E={
$m = [regex]::Match($_.Message, '.*Account Name: (?<account>[^ ]*).*Account Domain: (?<domain>[^ ]*).*')
"Account Name: $($m.Groups['account']) Account Domain: $($m.Groups['domain'])"
}}
$events
和值之间看到一些空的影响。我怎么能忽略这种空洞的影响?
答案 0 :(得分:1)
试试这个:
Get-WinEvent | select TimeCreated,@{N='Message';E={
$split = $_.Message.Split('. ');
if ($split.Length -gt 4){
[string]::Join('. ', ($split[0], $split[4]))
} else {
$_.Message
}
}}
根据您的更新:
Get-WinEvent | select TimeCreated,@{N='Message';E={
$m = [regex]::Match($_.Message, '.*Account Name: (?<account>[^ ]*).*Account Domain: (?<domain>[^ ]*).*')
"Account Name: $($m.Groups['account']) Account Domain: $($m.Groups['domain'])"
}}
测试用例:
$arg = [PSCustomObject]@{TimeCreated=Get-Date;Message="A user account was deleted. Subject: Security ID: SID_xxx Account Name: username_xxx Account Domain: domain_xxxx Logon ID: Target Account: Security ID: SID_xxx Account Name: name_xxx Account Domain: domain_xxx Additional Information: Privileges"},
[PSCustomObject]@{TimeCreated=Get-Date;Message="A user account was deleted. Subject: Security ID: MySecurityID Account Name: myusername Account Domain: mydomain Logon ID: 0x30ffebc Target Account: Security ID: my securityid Account Name: myusername Account Domain: mydomain Additional Information: Privileges"},
[PSCustomObject]@{TimeCreated=Get-Date;Message="Account Domain: myuserdomain"},
[PSCustomObject]@{TimeCreated=Get-Date;Message="Account Name: myusername"}
$arg | select TimeCreated,@{N='Message';E={
$n = [regex]::Match($_.Message, '.*Account Name: ([^ $]*).*')
$d = [regex]::Match($_.Message, '.*Account Domain: ([^ $]*).*')
$result = if ($n.Success) { "Account Name: $($n.Groups[1])" }
if ($d.Success){
if ($result) { $result += " Account Domain: $($d.Groups[1])" }
else { $result = "Account Domain: $($d.Groups[1])" }
}
$result
}}
返回:
TimeCreated Message
----------- -------
2016-08-30 08:03:57 Account Name: name_xxx Account Domain: domain_xxx
2016-08-30 08:03:57 Account Name: myusername Account Domain: mydomain
2016-08-30 08:03:57 Account Domain: myuserdomain
2016-08-30 08:03:57 Account Name: myusername
答案 1 :(得分:0)
您可以使用Substring。
Get-WinEvent ... |
Select-Object TimeCreated, @{n='Message';e={
if ($_.Message.Length -gt 500) {
$_.Message.Substring(0, 500)
} else {
$_.Message
}
}}
试图挑出句子。这将重新组合消息中的第一个和第五个句子。如果第五个是空白的,那么你只能获得第一个。修剪用于清除不必要的新行。
Get-WinEvent ... |
Select-Object TimeCreated, @{n='Message';e={
$message = $_.Message -split '\. '
($message[0] + "`r`n" + $message[4]).Trim()
}}