创建Splunk自定义命令实现unicode转中文功能

01 说明

创建Splunk自定义命令实现unicode转中文功能，需要结合Splunklib进行使用

Splunklib 下载地址

02 使用方法

| eval unicode field=需要转换的字段

03 Python代码

3.1 unicode.py

#!/usr/bin/python
# coding:utf-8

import sys
import logging
import re
from splunklib.searchcommands import dispatch, StreamingCommand, Configuration, Option, validators


@Configuration()
class unicode(StreamingCommand):
    # 创建log文件配置
    logging.basicConfig(level=logging.DEBUG,
                        format='%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s',
                        datefmt='%a, %d %b %Y %H:%M:%S',
                        filename='nuicode.log',
                        filemode='a')

    field = Option(name='field', require=True)
    def stream(self, records):
        logging.debug(self.field)
        if self.field != None:
            for record in records:
                subject = record[self.field]
                # record[self.field] = subject.encode('utf-8').decode('unicode_escape')
                record[self.field] = re.sub(r'(\\u[\s\S]{4})',lambda x:x.group(1).encode("utf-8").decode("unicode-escape"),subject)
                # logging.debug(record)
                yield record


dispatch(unicode, sys.argv, sys.stdin, sys.stdout, __name__)

3.2 local/commands.conf

[unicode]
filename = unicode.py
supports_getinfo = true
supports_rawargs = true
outputheader = true

3.3 local/searchbnf.conf

[unicode-command]
syntax      = subjectdecode field=<string> ?
shortdesc   = Converts Unicode to Chinese
description = Converts Unicode to Chinese \i\\
              "field"   - specify the field containing the data to encode or decode.\i\\

comment1 = decode the content of the field ab and store the results in a new field.
example1 = | unicode field="ab"