如何删除“|” 从 json 在 splunk 中导出?
[英]How to remove '|' from json export in splunk?
问题描述
So I am trying to export through python splunk queries to elasticsearch.
所以我试图通过 python splunk 查询导出到 elasticsearch。 I am using the json.dump() feature in python which is working and converting exactly like SPLUNK Web's convert feature.我正在使用 python 中的 json.dump() 功能,它的工作和转换与 SPLUNK Web 的转换功能完全一样。 My issue with it though is that it's giving me one field, named _RAW, with pipes '|'我的问题是它给了我一个名为_RAW的字段,带有管道'|' information so elastic search doesn't see the individual fields yet clumps it all together like so:信息,所以弹性搜索不会看到单个字段,而是将它们聚集在一起,如下所示:
Data| nameId="123123" | exampleID='1234123' | fieldName="Example" ....etc
I want to be able to have a "data" field or a "fieldName" field not all of that clumped into one big field named "raw"我希望能够拥有一个“数据”字段或一个“fieldName”字段,而不是所有这些都聚集在一个名为“raw”的大字段中
2 个解决方案
解决方案1
1 2019-10-10 21:35:04
To remove the _raw field, you can use | fields - _raw要删除_raw字段,您可以使用| fields - _raw | fields - _raw at the end of your search. | fields - _raw 。
You may need to post your code if that doesn't help, as we may need more context如果这没有帮助,您可能需要发布您的代码,因为我们可能需要更多上下文
解决方案2
0 2019-10-21 18:34:35
I got what I needed from appending | Fields *我从附加| Fields *中得到了我需要的东西| Fields * to the end of my query. | Fields *到我的查询末尾。 I was running a python script that queried splunk but it was running in fast mode not verbose, so the fields that I needed where in a _raw format and not individually displayed like in verbose.我正在运行一个查询 splunk 的 python 脚本,但它在快速模式下运行而不是冗长,所以我需要的字段以 _raw 格式而不是像详细那样单独显示。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.