我在cloudwatch日志上有以下查询
fields replace(path,'%20',' ') as pathz
| parse pathz /^(?<url1>.*) [!A-Z0-9-]*(?<url2>[ˆ!].*)$/
| fields concat(url1, url2) as url
| display coalesce(url,pathz) as furl
解析的 3 个示例路径是:
/v1/routing/pega-public/prweb/api/v1/assignments/ASSIGN-WORKLIST GNR-AUTO-WORK ST-4102!RACCOLTADATIPRELIMINARI_FLOW
/v1/routing/pega-public/prweb/api/DeviceInfoPackage/v1/SetInitialCaseInfomation
/v1/routing/pega-public/prweb/api/v1/cases/GNR-AUTO-WORK 43FFC9776C00474388A664A8A3E24B68
所需的输出是删除数据:
/v1/routing/pega-public/prweb/api/v1/assignments/ASSIGN-WORKLIST GNR-AUTO-WORK RACCOLTADATIPRELIMINARI_FLOW
/v1/routing/pega-public/prweb/api/DeviceInfoPackage/v1/SetInitialCaseInfomation
/v1/routing/pega-public/prweb/api/v1/cases/GNR-AUTO-WORK
但我无法得到它
第三行是空的,这是因为 concat 输出不返回
'null'我深入研究了文档和互联网上的几个例子,但没有办法让它正常工作
解决了这个:
fields @timestamp, status, replace(path,'%20',' ') as pathx
| parse pathx /(?<a1>^[^ ]+ *[A-Z-]*)( (?<a2>[A-Z0-9-]+){1,2}(?<a3>.*))*/
| filter
| display concat(a1,a3) as cleanurl