我希望让Splunk将页面内容分解为事件,但它无法实现。我试图在事件之间发出逗号,但它并不顺利。这是json的一部分进入
"last_updated":"2017-02-28T17:56:19Z"},{"id":588699,"name":null,...
这是我正在尝试的sed行
sed -e "s/},{/}+{/" -e "s/}[^}]*$/}/" secunia.txt | tr "+" "\n"
我已将它放在barmar帮助的脚本中的for循环之外,但它并没有拉出,。我错过了什么?
以下是一些数据:
{"id":588699,"name":null,"status":{"id":2963,"name":"Handled"},"priority":{"id":2873,"name":"Urgent"},"queue":{"id":2144,"name":"Default"},"description":null,"assigned_to":{"id":4120,"username":"user4@company.com"},"asset_list":{"id":4777,"name":"Info Security Threat_Splunk"},"advisory":{"id":199003,"advisory_identifier":"SA74447","title":"Blue Coat Security Analytics Multiple Vulnerabilities","released":"2016-12-21T15:24:53Z","modified_date":"2016-12-21T15:24:53Z","criticality":2,"criticality_description":"Highly critical","solution_status":4,"solution_status_description":"Partial Fix","where":1,"where_description":"From remote","cvss_score":10.0,"cvss_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:TF/RC:C)","type":0,"is_zero_day":false},"created":"2016-12-21T15:33:09Z","pretty_id":79,"custom_score":null,"last_updated":"2016-12-21T15:40:28Z"},{"id":584252,"name":null,"status":{"id":2963,"name":"Handled"},"priority":{"id":2873,"name":"Urgent"},"queue":{"id":2144,"name":"Default"},"description":null,"assigned_to":{"id":4118,"username":"user3@company.com"},"asset_list":{"id":4657,"name":"PSS Middleware Environment"},"advisory":{"id":195840,"advisory_identifier":"SA73221","title":"Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities","released":"2016-10-19T14:20:02Z","modified_date":"2016-12-19T14:42:30Z","criticality":2,"criticality_description":"Highly critical","solution_status":2,"solution_status_description":"Vendor Patched","where":1,"where_description":"From remote","cvss_score":10.0,"cvss_vector":"(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)","type":0,"is_zero_day":false},"created":"2016-12-20T13:43:24Z","pretty_id":76,"custom_score":null,"last_updated":"2017-01-11T19:47:09Z"}
答案 0 :(得分:0)
尝试此命令 -
sed -e "s/,//g" -e "s/}{/}\n{/" -e "s/}[^}]*$/}/" f
答案 1 :(得分:0)
替换事件分隔符在此处工作,但这假设它不会在输入的其他位置发生。例如:
sed 's/},{/}\n{/' secunia.txt | jq -s .
或使用便携式sed:
sed 's/},{/}\
{/' secunia.txt | jq -s .
输出:
[
{
"id": 588699,
"name": null,
"status": {
"id": 2963,
"name": "Handled"
},
"priority": {
"id": 2873,
"name": "Urgent"
},
"queue": {
"id": 2144,
"name": "Default"
},
"description": null,
"assigned_to": {
"id": 4120,
"username": "user4@company.com"
},
"asset_list": {
"id": 4777,
"name": "Info Security Threat_Splunk"
},
"advisory": {
"id": 199003,
"advisory_identifier": "SA74447",
"title": "Blue Coat Security Analytics Multiple Vulnerabilities",
"released": "2016-12-21T15:24:53Z",
"modified_date": "2016-12-21T15:24:53Z",
"criticality": 2,
"criticality_description": "Highly critical",
"solution_status": 4,
"solution_status_description": "Partial Fix",
"where": 1,
"where_description": "From remote",
"cvss_score": 10,
"cvss_vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:TF/RC:C)",
"type": 0,
"is_zero_day": false
},
"created": "2016-12-21T15:33:09Z",
"pretty_id": 79,
"custom_score": null,
"last_updated": "2016-12-21T15:40:28Z"
},
{
"id": 584252,
"name": null,
"status": {
"id": 2963,
"name": "Handled"
},
"priority": {
"id": 2873,
"name": "Urgent"
},
"queue": {
"id": 2144,
"name": "Default"
},
"description": null,
"assigned_to": {
"id": 4118,
"username": "user3@company.com"
},
"asset_list": {
"id": 4657,
"name": "PSS Middleware Environment"
},
"advisory": {
"id": 195840,
"advisory_identifier": "SA73221",
"title": "Oracle Solaris Multiple Third Party Components Multiple Vulnerabilities",
"released": "2016-10-19T14:20:02Z",
"modified_date": "2016-12-19T14:42:30Z",
"criticality": 2,
"criticality_description": "Highly critical",
"solution_status": 2,
"solution_status_description": "Vendor Patched",
"where": 1,
"where_description": "From remote",
"cvss_score": 10,
"cvss_vector": "(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)",
"type": 0,
"is_zero_day": false
},
"created": "2016-12-20T13:43:24Z",
"pretty_id": 76,
"custom_score": null,
"last_updated": "2017-01-11T19:47:09Z"
}
]