我在下面有一个日志,我想在以下位置获取Description的值:-调用Checklist1003 我该怎么做??
Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 09:21:53.297 Fault type: Application Severity: Info
11/21/2019 09:21:53.297 Description: This is a resubmission of a case that was underwritten using the
11/21/2019 09:21:53.297 UW_10.30 KB engine
11/21/2019 09:21:53.297
11/21/2019 09:21:53.297 UWROUTER service will be used for underwriting
11/21/2019 09:21:53.297 ----------------------------------------------------------------
11/21/2019 09:21:53.297 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 09:21:53.297 Fault type: Application Severity: Info
11/21/2019 09:21:53.297 Description: This case will be underwritten using UWROUTER 1.0
11/21/2019 09:21:53.297
11/21/2019 09:21:53.297 **Calling Checklist1003**
11/21/2019 09:21:53.345 ----------------------------------------------------------------
11/21/2019 09:21:53.345 Message type: Code: 118310 dec, 1ce26 hex
11/21/2019 09:21:53.345 Fault type: Undefined Severity: Undefined
11/21/2019 09:21:53.345 **Description**: Hired From Date is missing for secondary employment for
11/21/2019 09:21:53.345 applicant .
11/21/2019 09:21:53.345
11/21/2019 09:21:53.358 -----------------------------------------
答案 0 :(得分:0)
index = du sourcetype =“ ab:xyz-log”
| rex field = _raw模式= sed“ s /([\ n \ r \ s] +)\ d {2} / \ d {2} / \ d {4} \ d {2}:\ d {2}: \ d {2}。\ d {3} / \ 1 / g“
| rex field = _raw max_match = 0“正在调用清单1003 [^-] + [^ \ n] + \ n [^ \ n] +(?[^-] +)”
| rex field = checklist“说明:(?[^ \ e] +)”
| rex field = _raw“ INST_INFO:\ s \ d + \ |(?。*)\ |”
| rex field = _raw“ lenderCaseNo \ s [(?\ d +)]”
| eval BTime = strptime(Begin_time,“%H:%M:%S.%3N”)
| eval CTime = strptime(Completion_time,“%H:%M:%S.%3N”)
| eval ResTime = CTime-BTime
|表说明lenderInstName lenderCaseNumber Begin_time完成时间