splunk检查邮件是否包含某些字符串

时间:2018-09-21 09:55:00

标签: java devops splunk splunk-query splunk-calculation

在Splunk搜索查询中,如何检查日志消息是否包含文本?

日志消息: 

message:     2018-09-21T07:15:28,458+0000 comp=hub-lora-ingestor-0 [vert.x-eventloop-thread-0] INFO  com.nsc.iot.hono.receiver.HonoReceiver - Connected successfully, creating telemetry consumer ...

,然后我要检查消息是否包含“已成功连接,正在创建遥测用户...” ,并根据此结果将1或0分配给变量

Splunk搜索查询 

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ...")) 
| rex field=_raw ^(?:[^ \n]* ){7}(?P<success_status_message>\w+\s+\w+,\s+\w+\s+\w+\s+\w+)"
| timechart count as status | eval status=if(isnull(success_status_message), 0, 1)

success_status_message始终为空

1 个答案:

答案 0 :(得分:1)

部分问题是正则表达式字符串,该字符串与示例数据不匹配。另一个问题是不需要的timechart命令,该命令可以过滤出'success_status_message'字段。尝试此搜索:

(index="05c48b55-c9aa-4743-aa4b-c0ec618691dd" ("Retry connecting in 1000ms ..." OR "Connect or create consumer failed with exception" OR "Connected successfully, creating telemetry consumer ..."))
| rex "\s-\s(?P<success_status_message>.*)" 
| eval status=if(match(success_status_message, "Connected successfully, creating telemetry consumer"), 1, 0)
相关问题
最新问题