我有一个带有模块化警报的Splunk应用。模块化警报显示为stdin,(从我一直在阅读的内容中)应该为我提供触发警报的搜索结果。唯一的事情是-我没有得到搜索结果。我想要的是获取触发警报的搜索结果,然后将其发布到第三方API。
我从标准输入中得到的例子:
{"AcctID":"6024298300471575","Code":"B","JSESSIONID":"","VendorID":"5036","_bkt":"main~0~7FBDE914-CC38-406A-A981-9D386778775F","_cd":"0:531810","_eventtype_color":"","_indextime":"1566579959","_kv":"1","_raw":"[15/Aug/2019:18:24:02] VendorID=5036 Code=B AcctID=6024298300471575","_serial":"0","si":["66df4e3239eb","main"],"sourcetype":"vendor_sales","time":"1565893442","action":"","bytes":"","categoryId":"","clientip":"","cookie":"","date_hour":"18","date_mday":"15","date_minute":"24","date_month":"august","date_second":"2","date_wday":"thursday","date_year":"2019","date_zone":"local","eventtype":"","file":"","host":"vendor_sales","ident":"","index":"main","itemId":"","linecount":"1","method":"","other":"","productId":"","punct":"[//:::]===","referer":"","referer_domain":"","req_time":"","root":"","source":"tutorialdata.zip:./vendor_sales/vendor_sales.log","sourcetype":"vendor_sales","splunk_server":"66df4e3239eb","splunk_server_group":"","status":"","t":"","timeendpos":"21","timestartpos":"1","uri":"","uri_domain":"","uri_path":"","uri_query":"","user":"","useragent":"","version":""}
我在这里做错了什么?我在这里做错了吗?如果是这样,我应该做什么 仍然可以在Splunk应用程序中分发?