我有一個來自微軟朋友的日志檔案,格式非常具有挑戰性。該檔案如下:
- 檔案是 .CSV
- 四個欄位,第四個包含JSON
- 所有 JSON 密鑰對都用兩組雙引號括起來
我匯出了其中幾個檔案,我想在終端中使用 GREP 快速決議它們以查找關鍵事件。
消毒示例:
CreationDate,UserIds,Operations,AuditData
2022-01-01T15:00:00.0000000Z,[email protected],FileViewed,"{""AppAccessContext"":{""CorrelationId"":""f6298547-d934-4c79-8bab-c5c394f31f65""},""CreationTime"":""2022-01-01T15:00:00"",""Id"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""Operation"":""FileViewed"",""OrganizationId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""RecordType"":0,""UserType"":0,""Version"":0,""Workload"":""OneDrive"",""ClientIP"":""172.0.0.1"",""ObjectId"":""https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt"",""UserId"":""[email protected]"",""CorrelationId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""EventSource"":""SharePoint"",""ItemType"":""File"",""ListId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""ListItemUniqueId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""Site"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""WebId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""SourceFileName"":""TextFile.txt"",""SourceRelativeUrl"":""Documents""}"
2022-01-01T15:01:15.0000000Z,[email protected],FileViewed,"{""AppAccessContext"":{""CorrelationId"":""f6298547-d934-4c79-8bab-c5c394f31f65""},""CreationTime"":""2022-01-01T15:01:15"",""Id"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""Operation"":""FileViewed"",""OrganizationId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""RecordType"":0,""UserType"":0,""Version"":0,""Workload"":""OneDrive"",""ClientIP"":""172.0.0.1"",""ObjectId"":""https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt"",""UserId"":""[email protected]"",""CorrelationId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""EventSource"":""SharePoint"",""ItemType"":""File"",""ListId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""ListItemUniqueId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""Site"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""WebId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""SourceFileName"":""TextFile.txt"",""SourceRelativeUrl"":""Documents""}"
2022-01-01T15:02:02.0000000Z,[email protected],FileViewed,"{""AppAccessContext"":{""CorrelationId"":""f6298547-d934-4c79-8bab-c5c394f31f65""},""CreationTime"":""2022-01-01T15:02:02"",""Id"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""Operation"":""FileViewed"",""OrganizationId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""RecordType"":0,""UserType"":0,""Version"":0,""Workload"":""OneDrive"",""ClientIP"":""172.0.0.1"",""ObjectId"":""https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt"",""UserId"":""[email protected]"",""CorrelationId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""EventSource"":""SharePoint"",""ItemType"":""File"",""ListId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""ListItemUniqueId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""Site"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""WebId"":""f6298547-d934-4c79-8bab-c5c394f31f65"",""SourceFileName"":""TextFile.txt"",""SourceRelativeUrl"":""Documents""}"
我正在嘗試使用cut和jqin 終端的組合來決議檔案,但我很掙扎,因為cut當 JSON 欄位中充斥著逗號分隔符時,該命令不能很好地作業。我會將檔案更改為制表符分隔的檔案,理想情況下,我希望盡可能避免這種情況,因為我想快速檢查日志中的關鍵事件,而不必打開每個日志并轉換格式。
我在哪里:
grep FileViewed AnnoyingLogFile.csv | cut -d, -f 4 | jq .
輸出:
"{"
"AppAccessContext"
":{"
"CorrelationId"
":"
"f6298547-d934-4c79-8bab-c5c394f31f65"
我想要的輸出:
{
"AppAccessContext":
{
"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65"
},
"CreationTime": "2022-01-01T15:00:00",
"Id": "f6298547-d934-4c79-8bab-c5c394f31f65",
"Operation": "FileViewed",
"OrganizationId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"RecordType": 0,
"UserType": 0,
"Version": 0,
"Workload": "OneDrive",
"ClientIP": "172.0.0.1",
"ObjectId": "https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt",
"UserId": "[email protected]",
"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"EventSource": "SharePoint",
"ItemType": "File",
"ListId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"ListItemUniqueId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"Site": "f6298547-d934-4c79-8bab-c5c394f31f65",
"WebId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"SourceFileName": "TextFile.txt",
"SourceRelativeUrl": "Documents"
}
...
我已經使用了另一種方法來分析這些日志,但我想在這里提出這個問題,看看是否可以在終端中使用 、 或任何其他命令進行cut決議jq。
uj5u.com熱心網友回復:
您可能想嘗試Miller,它在此處作為各種作業系統的獨立可執行檔案提供。
使用 Miller,包含 JSON 欄位的 CSV 的決議和轉換變得輕而易舉:
mlr --icsv --ojson json-parse AnnoyingLogFile.csv
[
{
"CreationDate": "2022-01-01T15:00:00.0000000Z",
"UserIds": "[email protected]",
"Operations": "FileViewed",
"AuditData": {
"AppAccessContext": {
"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65"
},
"CreationTime": "2022-01-01T15:00:00",
"Id": "f6298547-d934-4c79-8bab-c5c394f31f65",
"Operation": "FileViewed",
"OrganizationId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"RecordType": 0,
"UserType": 0,
"Version": 0,
"Workload": "OneDrive",
"ClientIP": "172.0.0.1",
"ObjectId": "https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt",
"UserId": "[email protected]",
"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"EventSource": "SharePoint",
"ItemType": "File",
"ListId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"ListItemUniqueId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"Site": "f6298547-d934-4c79-8bab-c5c394f31f65",
"WebId": "f6298547-d934-4c79-8bab-c5c394f31f65",
"SourceFileName": "TextFile.txt",
"SourceRelativeUrl": "Documents"
}
}, ...
并輸出與預期輸出等效的 JSON 物件堆疊:
mlr --icsv --ojsonl json-parse then filter 'emit1 $AuditData; false;' AnnoyingLogFile.csv
{"AppAccessContext": {"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65"}, "CreationTime": "2022-01-01T15:00:00", "Id": "f6298547-d934-4c79-8bab-c5c394f31f65", "Operation": "FileViewed", "OrganizationId": "f6298547-d934-4c79-8bab-c5c394f31f65", "RecordType": 0, "UserType": 0, "Version": 0, "Workload": "OneDrive", "ClientIP": "172.0.0.1", "ObjectId": "https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt", "UserId": "[email protected]", "CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65", "EventSource": "SharePoint", "ItemType": "File", "ListId": "f6298547-d934-4c79-8bab-c5c394f31f65", "ListItemUniqueId": "f6298547-d934-4c79-8bab-c5c394f31f65", "Site": "f6298547-d934-4c79-8bab-c5c394f31f65", "WebId": "f6298547-d934-4c79-8bab-c5c394f31f65", "SourceFileName": "TextFile.txt", "SourceRelativeUrl": "Documents"}
{"AppAccessContext": {"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65"}, "CreationTime": "2022-01-01T15:01:15", "Id": "f6298547-d934-4c79-8bab-c5c394f31f65", "Operation": "FileViewed", "OrganizationId": "f6298547-d934-4c79-8bab-c5c394f31f65", "RecordType": 0, "UserType": 0, "Version": 0, "Workload": "OneDrive", "ClientIP": "172.0.0.1", "ObjectId": "https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt", "UserId": "[email protected]", "CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65", "EventSource": "SharePoint", "ItemType": "File", "ListId": "f6298547-d934-4c79-8bab-c5c394f31f65", "ListItemUniqueId": "f6298547-d934-4c79-8bab-c5c394f31f65", "Site": "f6298547-d934-4c79-8bab-c5c394f31f65", "WebId": "f6298547-d934-4c79-8bab-c5c394f31f65", "SourceFileName": "TextFile.txt", "SourceRelativeUrl": "Documents"}
{"AppAccessContext": {"CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65"}, "CreationTime": "2022-01-01T15:02:02", "Id": "f6298547-d934-4c79-8bab-c5c394f31f65", "Operation": "FileViewed", "OrganizationId": "f6298547-d934-4c79-8bab-c5c394f31f65", "RecordType": 0, "UserType": 0, "Version": 0, "Workload": "OneDrive", "ClientIP": "172.0.0.1", "ObjectId": "https://websitebame-my.sharepoint.com/personal/user_directory/Documents/TextFile.txt", "UserId": "[email protected]", "CorrelationId": "f6298547-d934-4c79-8bab-c5c394f31f65", "EventSource": "SharePoint", "ItemType": "File", "ListId": "f6298547-d934-4c79-8bab-c5c394f31f65", "ListItemUniqueId": "f6298547-d934-4c79-8bab-c5c394f31f65", "Site": "f6298547-d934-4c79-8bab-c5c394f31f65", "WebId": "f6298547-d934-4c79-8bab-c5c394f31f65", "SourceFileName": "TextFile.txt", "SourceRelativeUrl": "Documents"}
uj5u.com熱心網友回復:
可能不是最好的,但作業
grep FileViewed AnnoyingLogFile.csv | cut -d, -f 4- | sed -e 's/""/"/g' -e 's/^"//' -e 's/"$//' | jq .
第一個 sed 替換""為",第二個"在開頭洗掉,第三個在結尾
如果 json 不是最后一列,您可以使用rev并從末尾剪切它并rev回傳
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/457904.html
上一篇:使用nftw僅遍歷指定的檔案夾