带条件的 splunk 正则表达式
[英]splunk regex with condition
问题描述
I have splunk query using which i want to filter out the log which has time greater than 100 or any number.
我有 splunk 查询,我想过滤掉时间大于 100 或任何数字的日志。
2015-09-04 14:31:55.015 INFO : [org.perf4j.TimingLogger:426] - start[1441402314909] time[103] tag[getDetails]
2015-09-04 14:31:56.437 INFO : [org.perf4j.TimingLogger:426] - start[1441402316435] time[12] tag[getDetails]
2015-09-04 14:31:57.654 INFO : [org.perf4j.TimingLogger:426] - start[1441402317653] time[20] tag[getDetails]
2015-09-04 14:31:58.721 INFO : [org.perf4j.TimingLogger:426] - start[1441402318720] time[10] tag[getDetails]
Here is my spunk regex.这是我的 spunk 正则表达式。 This could filter outs above 4 line from my log but I'm unable to put the condition further (greater than ).这可以从我的日志中过滤掉 4 行以上的内容,但我无法进一步说明条件(大于 )。 Tried eval but couldn't get the intended result.尝试 eval 但无法获得预期结果。
sourcetype="abc" *|regex _raw=time\[(\d+)\]
1 个解决方案
解决方案1
1 2015-09-08 19:52:44
If the value you want to filter out is greater than or equal to 100 then check for 3 digits:如果要过滤掉的值大于或等于 100,则检查 3 位数字:
sourcetype="abc" *|regex _raw=time\[(\d{3})\]
This way only values of 100 or higher will match.这样,只有 100 或更高的值才会匹配。
EDIT : If you're looking for a number above a range (eg. 60 ):编辑:如果您正在寻找超出范围的数字(例如60 ):
sourcetype="abc" *|regex _raw=time\[([6-9]\d|\d{3,})\]
For a specific number and above (eg. 33+ ):对于特定数字及以上(例如33+ ):
sourcetype="abc" *|regex _raw=time\[(33|[3-9][3-9]|[4-9]\d+|[1-9][0-9]\d+)\]
To disallow numbers with leading zeros:禁止带有前导零的数字:
sourcetype="abc" *|regex _raw=time\[(33|[3-9][3-9]|[4-9]\d+|[1-9][0-9]\d+|[1-9]\d{2,})\]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.