如何通过正则表达式从日志(splunk)中获取端口号?
How to get the port number from a log (splunk) by regular expressions?
如何通过正则表达式从日志(Splunk)中获取端口号:
{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"**eth-0-36**"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}
端口表示法可能因设备而异:
Eth1/1.2; Eth1/2.500; eth-0-19/4; eth-0-4; Eth1/4
我试过\W+((?i)Eth....(?-i))\W+,但它在 Splunk 中不起作用。
要匹配不同的格式,您可以使用:
\beth\d*(?:-\d+)*(?:/\d+(?:\.\d+)?)?\b
部分
\b 字边界eth\d* 匹配 eth 和 0+ 数字(?:-\d+)* 重复 0+ 次 - 和 1+ 位(?:非捕获组
/\d+(?:\.\d+)? 匹配 /、1+ 位和可选的 . 和 1+ 位
)? 关闭非捕获组并使其可选\b 字边界
使用不区分大小写的匹配或使用 [Ee]th
这应该有效:
(?<=")[Ee]th.*?(?=")
它只是查找 2 个引号之间的 eth 字符串。但是如果你希望它对你提供的测试用例更严格,@TheFourthBird 的答案可能会更好
如何通过正则表达式从日志(Splunk)中获取端口号:
{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"**eth-0-36**"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}
端口表示法可能因设备而异:
Eth1/1.2; Eth1/2.500; eth-0-19/4; eth-0-4; Eth1/4
我试过\W+((?i)Eth....(?-i))\W+,但它在 Splunk 中不起作用。
要匹配不同的格式,您可以使用:
\beth\d*(?:-\d+)*(?:/\d+(?:\.\d+)?)?\b
部分
\b字边界eth\d*匹配 eth 和 0+ 数字(?:-\d+)*重复 0+ 次 - 和 1+ 位(?:非捕获组/\d+(?:\.\d+)?匹配/、1+ 位和可选的.和 1+ 位
)?关闭非捕获组并使其可选\b字边界
使用不区分大小写的匹配或使用 [Ee]th
这应该有效:
(?<=")[Ee]th.*?(?=")
它只是查找 2 个引号之间的 eth 字符串。但是如果你希望它对你提供的测试用例更严格,@TheFourthBird 的答案可能会更好