Powershell 将ConvertFrom Csv分隔符用于可变长度空白
我有一个生成Windows安全事件CSV文件的报告。通过这份报告,我想获取具体信息 下面的代码通过字段之间的空格来解析每行数据。这工作正常:Powershell 将ConvertFrom Csv分隔符用于可变长度空白,powershell,Powershell,我有一个生成Windows安全事件CSV文件的报告。通过这份报告,我想获取具体信息 下面的代码通过字段之间的空格来解析每行数据。这工作正常: $InStuff = Get-Content -Path 'SecurityEvents.csv' $ColCount = $InStuff[1].Split(' ').Count $Collection = $InStuff | ConvertFrom-Csv -Delimiter ' ' -Header (1..$ColCount).For
$InStuff = Get-Content -Path 'SecurityEvents.csv'
$ColCount = $InStuff[1].Split(' ').Count
$Collection = $InStuff | ConvertFrom-Csv -Delimiter ' ' -Header (1..$ColCount).ForEach({"Column_$_"})
$Collection |
Select-Object -Property 'Column_17', 'Column_83'
CSV的示例行:
<134>Dec 13 13:50:23 10.137.119.42 MSWinEventLog 1 Security 123456789 Thu Dec 13 13:50:23 2018 4662 Microsoft-Windows-Security-Auditing MyCompany\dy625 N/A Success Audit mydc1.dy625.com Directory Service Access An operation was performed on an object. Subject : Security ID: S-123456 Account Name: dy625 Account Domain: MyCompany Logon ID: XXXXXXXX Object: Object Server: DS Object Type: %{XXXXXXXX-XXXXXXXX-XXXXXXXX} Object Name: %{XXXXXXXX-XXXXXXXX-XXXXXXXX} Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} Additional Information: Parameter 1: - Parameter 2: 123456
<134>Dec 13 13:50:18 10.137.119.42 MSWinEventLog 1 Security 123456789 Thu Dec 13 13:50:18 2018 4662 Microsoft-Windows-Security-Auditing MyCompany\dy626 N/A Success Audit mydc1.dy625.com Directory Service Access An operation was performed on an object. Subject : Security ID: S-123456 Account Name: dy626 Account Domain: MyCompany Logon ID: XXXXXXXX Object: Object Server: DS Object Type: %{XXXXXXXX-XXXXXXXX-XXXXXXXX} Object Name: %{XXXXXXXX-XXXXXXXX-XXXXXXXX} Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} Additional Information: Parameter 1: - Parameter 2: 123456
<134>Jan 4 13:50:14 10.137.118.22 MSWinEventLog 1 Security 123456789 Thu Dec 13 13:50:14 2018 4662 Microsoft-Windows-Security-Auditing MyCompany\dy627 N/A Success Audit mydc1.dy625.com Directory Service Access An operation was performed on an object. Subject : Security ID: S-123456 Account Name: dy627 Account Domain: MyCompany Logon ID: XXXXXXXX Object: Object Server: DS Object Type: %{XXXXXXXX-XXXXXXXX-XXXXXXXX} Object Name: %{XXXXXXXX-XXXXXXXX-XXXXXXXX} Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} {XXXX-XXXX-XXXXX} Additional Information: Parameter 1: - Parameter 2: 123456
Dec 13:50:23 10.137.119.42 MSWinEventLog 1 Security 123456789 Thu Dec 13:50:23 2018 4662 Microsoft Windows安全审核MyCompany\dy625 N/A成功审核mydc1.dy625.com目录服务访问对对象执行了操作。主题:安全ID:S-123456帐户名称:dy625帐户域:MyCompany登录ID:XXXXXXXX对象:对象服务器:DS对象类型:%%{XXXXXXXX-XXXXXXXX-XXXXXXXX}对象名称:%%{XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXX}句柄ID:0x0操作:操作类型:对象访问:写入属性访问掩码:0x20属性:写入属性{XXXX-XXXX-XXXXX}{XXXX-XXXXX-XXXXX}{XXXX-XXXXX-XXXXX}{XXXX-XXXXX-XXXXX}附加信息:参数1:-参数2:123456
12月13日13:50:18 10.137.119.42 MSWinEventLog 1 Security 123456789 Thu Dec 13:50:18 2018 4662 Microsoft Windows安全审核MyCompany\dy626 N/A成功审核mydc1.dy625.com目录服务访问对对象执行了操作。主题:安全ID:S-123456帐户名称:dy626帐户域:MyCompany登录ID:XXXXXXXX对象:对象服务器:DS对象类型:%%{XXXXXXXX-XXXXXXXX-XXXXXXXX}对象名称:%%{XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXX}句柄ID:0x0操作:操作类型:对象访问:写入属性访问掩码:0x20属性:写入属性{XXXX-XXXX-XXXXX}{XXXX-XXXXX-XXXXX}{XXXX-XXXXX-XXXXX}{XXXX-XXXXX-XXXXX}附加信息:参数1:-参数2:123456
Jan 4 13:50:14 10.137.118.22 MSWinEventLog 1 Security 123456789 Thu Dec 13:50:14 2018 4662 Microsoft Windows安全审核MyCompany\dy627 N/A成功审核mydc1.dy625.com目录服务访问对对象执行了操作。主题:安全ID:S-123456帐户名称:dy627帐户域:MyCompany登录ID:XXXXXXXX对象:对象服务器:DS对象类型:%%{XXXXXXXX-XXXXXXXX-XXXXXXXX}对象名称:%%{XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXX}句柄ID:0x0操作:操作类型:对象访问:写入属性访问掩码:0x20属性:写入属性{XXXX-XXXX-XXXXX}{XXXX-XXXXX-XXXXX}{XXXX-XXXXX-XXXXX}{XXXX-XXXXX-XXXXX}附加信息:参数1:-参数2:123456
一个不可预见的问题是Windows没有像我预期的那样格式化日期。例如,请参见下文
<134>Dec 13
<134>Jan 4
12月13日
1月4日
如果您注意到,在“Jan”和“4”之间有两个空格,而在“Dec”和“13”之间有一个空格。这意味着我需要运行两个不同的脚本,具体取决于月份的哪一天
我想知道在这个特定的实例中,是否可以将分隔符设置为“可变”空白,而不是单个定义的
'
。ConvertFrom Csv
命令中似乎不支持此功能-我不确定如何重写代码以适应此功能。只需将所有双空格替换为单个空格即可:
$InStuff = $InStuff.Replace(' ',' ')
您需要添加另一个步骤,用一个空格替换“两个或多个空白字符”。像这样的
# fake reading in a text file
# in real life, use Get-Content
$Test = @'
dec 13 qwerty
jan 4 asdfgh
'@ -split [environment]::NewLine
$Test -replace '\s{2,}', ' ' |
ConvertFrom-Csv -Delimiter ' ' -Header 'One', 'Two'
输出
One Two
--- ---
dec 13
jan 4
@Lee_Dailey我会无耻地联系你,因为你熟悉这段代码,并且在过去非常有帮助。这是一个固定宽度的csv。问:csv是否使用标题来导出字段宽度?@Theo-我实际上太没经验了,无法回答你的问题。所有数据都在一列中生成。但是,此时,T-Me为我提供了一个合适的解决方案。我看到了这一点,但如果您需要对实际数据做更多的处理,则在空格字符上拆分将为一个字段创建7个字段
对对象执行操作。
。在固定宽度的文件中,每个字段都有一个预定义的字符长度(宽度)。当你知道每个字段的宽度时,你可以转换成一个更“普通”的逗号分隔的CSV文件,这将使导入变得更容易。非常感谢你,它工作得很好,而且也不那么凌乱@嘿,伙计,谢谢你的帮助。是的,我的代码又开始工作了——它不再依赖于日期了@dy625-库尔!很高兴知道你成功了。。。[咧嘴笑]@Theo-argh![脸红]我本想用{2,}
的,但发布了错误的版本[{1,2}
]。谢谢你在这件事上的提醒![咧嘴笑]@Lee_Dailey是的,\s{2,}
实际上比我的\s+
更切题。我看到你已经编辑了你的答案,所以我将删除我的评论