powershell - 将防火墙日志转换为 Powershell 哈希表

有没有什么花哨的方法来代替遍历字符串

你这样做的任何方式都将涉及某种形式的读取和解析字符串。您可以通过使用正则表达式来匹配对来简化所需的代码name="value"：

# Replace this string array with `Get-Content path\to\log\file(s).log` 
@(
  '2021:09:08-00:02:45 fwtest ulogd[4040]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60019" initf="eth2" srcmac="01:23:45:67:89:ab" dstmac="ba:98:76:54:32:10" srcip="10.0.0.1" dstip="10.0.1.1" proto="17" length="96" tos="0x00" prec="0x00" ttl="45" srcport="1234" dstport="4321"'
) |Select-String -Pattern '\b(\w+)\="([^"]+)"' -AllMatches |ForEach-Object {
  # Create an ordered dictionary to hold the name-value pairs
  $props = [ordered]@{}

  # Iterate over each pair found by Select-String
  $_.Matches |ForEach-Object {
    # Add each name-value pair to the dictionary
    $props[$_.Groups[1].Value] = $_.Groups[2].Value
  }

  # Convert dictionary to PSObject
  [pscustomobject]$props
}

这将在每个日志行生成 1 个新对象，您可以使用内置实用程序（如Where-Object、Group-Object等）来处理这些对象Measure-Object。

使用的正则表达式模式 ( \b(\w+)\="([^"]+)") 描述：

\b          # match a word boundary
  (         # capture group start
   \w+      # match 1 or more word characters (letters or numbers)
  )         # capture group end
  \="       # match a literal = followed by "
  (         # capture group start
   [^"]+    # match 1 or more of any characters except "
  )         # capture group end
  "         # match a literal "