PowerShell损坏Json格式替代格式

wko9yo5t 于 2022-11-10 发布在 Shell

关注(0)|答案(1)|浏览(106)

我有以下情况。我收到以下格式的“JSON”消息。

{
    "alert_type": "RATE_BASED",
    "alert_name": "Process Discovery",
    "search_period": "300000",
    "hit_oeprator": "GREATER_THAN",
        "Source_info": "http://loginsight.ch/",
        "url": "https://loginsight.ch/s/k978la",
        "info": "null",
        "time": "2022-10-24 09:07",
        "messagesString":"[{"text":"Details zur Pipelineausführung für die Befehlszeile: Get-Process. \r\n\r\nKontextinformationen: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=49\r\n\r\n\tUserId=test\\testuser\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.2931\r\n\tHostId=617fb611-ac04-46ec-b26a-ea40588d28b7\r\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n\tEngineVersion=5.1.17763.2931\r\n\tRunspaceId=c64d0bb9-c73d-41e9-b137-6163143876f0\r\n\tPipelineId=22\r\n\tScriptName=\r\n\tCommandLine=Get-Process \r\n\r\nDetails: \r\nCommandInvocation(Get-Process): \"Get-Process\"\r\n","timestamp":1666602432506,"fields":[{"name":"HostApplication","content":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"},{"name":"eventid","content":"800"},{"name":"CommandLinePS","content":"Get-Process"},{"name":"keywords","content":"Klassisch"},{"name":"level","content":"Informationen"},{"name":"channel","content":"Windows PowerShell"},{"name":"__li_agent_id","content":"DA383F42-5A9C-478D-00CC-3212C9AF9173"},{"name":"providername","content":"PowerShell"},{"name":"hostname","content":"Test.test.test.CH"},{"name":"task","content":"Details zur Pipelineausführung"},{"name":"ScriptName","content":""},{"name":"__li_source_path","content":"10.10.10.10"},{"name":"eventrecordid","content":"92389"}]}]"
}
{
    "alert_type": "RATE_BASED",
    "alert_name": "Process Discovery",
    "search_period": "300000",
    "hit_oeprator": "GREATER_THAN",
        "Source_info": "http://loginsight.ch/",
        "url": "https://loginsight.ch/s/k978la",
        "info": "null",
        "time": "2022-10-24 09:07",
        "messagesString":"[{"text":"Details zur Pipelineausführung für die Befehlszeile: Get-Process. \r\n\r\nKontextinformationen: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=49\r\n\r\n\tUserId=test\\testuser\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.2931\r\n\tHostId=617fb611-ac04-46ec-b26a-ea40588d28b7\r\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n\tEngineVersion=5.1.17763.2931\r\n\tRunspaceId=c64d0bb9-c73d-41e9-b137-6163143876f0\r\n\tPipelineId=22\r\n\tScriptName=\r\n\tCommandLine=Get-Process \r\n\r\nDetails: \r\nCommandInvocation(Get-Process): \"Get-Process\"\r\n","timestamp":1666602432506,"fields":[{"name":"HostApplication","content":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"},{"name":"eventid","content":"800"},{"name":"CommandLinePS","content":"Get-Process"},{"name":"keywords","content":"Klassisch"},{"name":"level","content":"Informationen"},{"name":"channel","content":"Windows PowerShell"},{"name":"__li_agent_id","content":"DA383F42-5A9C-478D-00CC-3212C9AF9173"},{"name":"providername","content":"PowerShell"},{"name":"hostname","content":"Test.test.test.CH"},{"name":"task","content":"Details zur Pipelineausführung"},{"name":"ScriptName","content":""},{"name":"__li_source_path","content":"10.10.10.10"},{"name":"eventrecordid","content":"92389"}]}]"
}

正如我们所看到的，这不是有效的json格式。但我无法改变这一点。在我的例子中，我必须提取消息中的所有数据，并将其放入类似于“ALERT_TYPE”：“RATE_BASE”“ALERT_NAME”：“Process Discovery”的散列表中
困难的是，在消息字符串字段中有这样的子字段，它也需要添加到哈希表中

"fields":[{"name":"HostApplication","content":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"},{"name":"eventid","content":"800"},{"name":"CommandLinePS","content":"Get-Process"},{"name":"keywords","content":"Klassisch"},{"name":"level","content":"Informationen"},{"name":"channel","content":"Windows PowerShell"},{"name":"__li_agent_id","content":"DA383F42-5A9C-478D-00CC-3212C9AF9173"},{"name":"providername","content":"PowerShell"},{"name":"hostname","content":"Test.Test.test.CH"},{"name":"task","content":"Details zur Pipelineausführung"},{"name":"ScriptName","content":""},{"name":"__li_source_path","content":"10.10.10.10"},{"name":"eventrecordid","content":"92389"}]

现在，我考虑使用子字符串方法从Fields部分提取数据，然后使用regexex和ConvertFrom-StringData将key=Value对添加到哈希表中。
但这并不像预期的那样奏效。
有没有人知道如何解决这个问题？
亲切地问候斯特凡

powershell

来源：https://stackoverflow.com/questions/74179210/powershell-corrupt-json-format-alternative

1条答案

按热度按时间

w8biq8rn1#

一个字符串中有2个JSON对象，还有一个错误放置的引号。如果这是我要得到的JSON，我会使用regex修复格式，然后拆分对象，这可以用一种更好的方式来完成，但这里有一个适用于您的示例的示例

$jsonRaw=@"
    {
    "alert_type": "RATE_BASED",
    "alert_name": "Process Discovery",
    "search_period": "300000",
    "hit_oeprator": "GREATER_THAN",
        "Source_info": "http://loginsight.ch/",
        "url": "https://loginsight.ch/s/k978la",
        "info": "null",
        "time": "2022-10-24 09:07",
        "messagesString":"[{"text":"Details zur Pipelineausführung für die Befehlszeile: Get-Process. \r\n\r\nKontextinformationen: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=49\r\n\r\n\tUserId=test\\testuser\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.2931\r\n\tHostId=617fb611-ac04-46ec-b26a-ea40588d28b7\r\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n\tEngineVersion=5.1.17763.2931\r\n\tRunspaceId=c64d0bb9-c73d-41e9-b137-6163143876f0\r\n\tPipelineId=22\r\n\tScriptName=\r\n\tCommandLine=Get-Process \r\n\r\nDetails: \r\nCommandInvocation(Get-Process): \"Get-Process\"\r\n","timestamp":1666602432506,"fields":[{"name":"HostApplication","content":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"},{"name":"eventid","content":"800"},{"name":"CommandLinePS","content":"Get-Process"},{"name":"keywords","content":"Klassisch"},{"name":"level","content":"Informationen"},{"name":"channel","content":"Windows PowerShell"},{"name":"__li_agent_id","content":"DA383F42-5A9C-478D-00CC-3212C9AF9173"},{"name":"providername","content":"PowerShell"},{"name":"hostname","content":"Test.test.test.CH"},{"name":"task","content":"Details zur Pipelineausführung"},{"name":"ScriptName","content":""},{"name":"__li_source_path","content":"10.10.10.10"},{"name":"eventrecordid","content":"92389"}]}]"
}
{
    "alert_type": "RATE_BASED",
    "alert_name": "Process Discovery",
    "search_period": "300000",
    "hit_oeprator": "GREATER_THAN",
        "Source_info": "http://loginsight.ch/",
        "url": "https://loginsight.ch/s/k978la",
        "info": "null",
        "time": "2022-10-24 09:07",
        "messagesString":"[{"text":"Details zur Pipelineausführung für die Befehlszeile: Get-Process. \r\n\r\nKontextinformationen: \r\n\tDetailSequence=1\r\n\tDetailTotal=1\r\n\r\n\tSequenceNumber=49\r\n\r\n\tUserId=test\\testuser\r\n\tHostName=ConsoleHost\r\n\tHostVersion=5.1.17763.2931\r\n\tHostId=617fb611-ac04-46ec-b26a-ea40588d28b7\r\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n\tEngineVersion=5.1.17763.2931\r\n\tRunspaceId=c64d0bb9-c73d-41e9-b137-6163143876f0\r\n\tPipelineId=22\r\n\tScriptName=\r\n\tCommandLine=Get-Process \r\n\r\nDetails: \r\nCommandInvocation(Get-Process): \"Get-Process\"\r\n","timestamp":1666602432506,"fields":[{"name":"HostApplication","content":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"},{"name":"eventid","content":"800"},{"name":"CommandLinePS","content":"Get-Process"},{"name":"keywords","content":"Klassisch"},{"name":"level","content":"Informationen"},{"name":"channel","content":"Windows PowerShell"},{"name":"__li_agent_id","content":"DA383F42-5A9C-478D-00CC-3212C9AF9173"},{"name":"providername","content":"PowerShell"},{"name":"hostname","content":"Test.test.test.CH"},{"name":"task","content":"Details zur Pipelineausführung"},{"name":"ScriptName","content":""},{"name":"__li_source_path","content":"10.10.10.10"},{"name":"eventrecordid","content":"92389"}]}]"
}
"@

# fix the extra quote from the start of the array

$format1 = $jsonRaw -replace '(?:\"\[)' , '['

# fix the extra quote from the end of the array

$format2 = $format1 -replace '(?:\]\")' , ']'

# split the two JSON objects, unless this can be done in a better way

$format3 = $format2 -split '(}\r)'

$obj1 = $format3[0] + '}' | ConvertFrom-Json
$obj2 = $format3[2] | ConvertFrom-Json

现在，您拥有了$obj1和$obj2作为PowerShell对象。我要研究的是以更好的方式拆分JSON中的两个对象的方法。
否则，如果这让您满意，那么您可以进一步使用Regex(不理想，但有可能)，您可以开始扩展MessageString$obj1.messagesString.text，这将产生：

Details zur Pipelineausführung für die Befehlszeile: Get-Process. 

Kontextinformationen: 
    DetailSequence=1
    DetailTotal=1

    SequenceNumber=49

    UserId=test\testuser
    HostName=ConsoleHost
    HostVersion=5.1.17763.2931
    HostId=617fb611-ac04-46ec-b26a-ea40588d28b7
    HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    EngineVersion=5.1.17763.2931
    RunspaceId=c64d0bb9-c73d-41e9-b137-6163143876f0
    PipelineId=22
    ScriptName=
    CommandLine=Get-Process 

Details: 
CommandInvocation(Get-Process): "Get-Process"

如果您想要将其分解为单个字符串/变量，则可以使用Regex组，我在这里为您创建了一个示例https://regex101.com/r/9OMkH8/1，然后在PowerShell中，您可以执行以下操作

$user=($obj1.messagesString.text -split '(?s)(?<=UserId=)(.*?)(?=\n)')[1]

这将使$user成为字符串test\testuser

赞(0）回复(0）举报 2022-11-10

我来回答

PowerShell损坏Json格式替代格式

1条答案

相关问题

热门标签

最新问答