我有以下日志:
INFO [http-nio-80-exec-30]类别:ControllerV3, M =方法,UA = ua,URI = / v3 /交易, QS = limit = 21&offset = 0&sort = -createDate,V = v3,P = 3,RT = 50, ET = 25,ELAPSE-TIME = 50,
REQ = {“ userId”:98745569,“ initialCreationDate”:“ 2020-03-13T00:00:00”,“ finalCreationDate”:“ 2020-03-16T15:41:36”,“源”:“源“,” statusIds“:[2,3,4,5,6,7,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 ,25,26,27,28,29,30,31,32,33,34,35,36,37,40,41,42,43,44,45,46,47,48,49,50,51 ,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76 ,79],“ accountingEntryType”:“ ENTRY_TYPE”,“ considerPartialTransaction”:true},
GW = false
因此,我不知道如何获取有关REQ JSON字段的指标和数据。我想知道在statusIds,accountingEntryType,considerPartialTransaction上传递了哪些值,以及initialCreationDate和finalCreationDate的日期范围。要使用常规字段获取指标,请使用类似| stats count by UA的指标。我是Splunk的新手,我不知道某些功能来获取结果。
答案 0 :(得分:1)
您最好的选择是提取REQ字段,然后在其上使用spath从JSON提取详细信息。
要提取REQ字段,可以使用以下命令。请注意,这不会处理嵌套的JSON,但是如果您的事件包含嵌套的JSON,则可以使用其他正则表达式。
| rex field=raw "REQ=(?<REQ>[^}]+})"
有了REQ字段后,您可以使用spath通过以下命令从JSON中提取所有字段和值
| spath input=REQ
以下是显示提取和spath正常工作的示例。
| makeresults | eval raw="
INFO [http-nio-80-exec-30] class:ControllerV3, M=method, UA=ua, URI=/v3/transactions, QS=limit=21&offset=0&sort=-createDate, V=v3, P=3, RT=50, ET=25, ELAPSE-TIME=50,
REQ={\"userId\":98745569,\"initialCreationDate\":\"2020-03-13T00:00:00\",\"finalCreationDate\":\"2020-03-16T15:41:36\",\"source\":\"SOURCE\",\"statusIds\":[2,3,4,5,6,7,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,79],\"accountingEntryType\":\"ENTRY_TYPE\",\"considerPartialTransaction\":true},
GW=false
"
| rex field=raw "REQ=(?<REQ>[^}]+})"
| spath input=REQ