gpt4 book ai didi

python - Windows 事件日志消息转换为字典,然后转换为 pandas 列

转载 作者:太空宇宙 更新时间:2023-11-03 15:28:35 25 4
gpt4 key购买 nike

我有一个 pandas 列,其中包含 Windows 事件日志的消息字段,如下所示。如何遍历并删除所有非键值样式对?

消息列包含类似的数据,但可能比显示的更多键:值类型,因为这只是一个事件 ID。

message
['subject':'none','security id':'s-1-5-12','account name':'myaccountname','account domain':'domain', 'logon id':'0x3e6', ' process information':'none', 'new process id':'0x1a53', 'new process name':'c:\windows\system32\ipconfig.exe', 'token elevation type':'%%1932','creator process id':'0x1b33', 'process command line':'none', ' token elevation type indicates the type of token that was assigned to the new process in accordance with user account control policy.',' type 1 is a full token with no privileges removed or groups disabled. a full token is only used if user account control is disabled or if the user is the built-in administrator account or a service account.', ' type 2 is an elevated token with no privileges removed or groups disabled. an elevated token is used when user account control is enabled and the user chooses to start the program using run as administrator. an elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege', ' and the user is a member of the administrators group.',' type 3 is a limited token with administrative privileges removed and administrative groups disabled. the limited token is used when user account control is enabled', ' the application does not require administrative privilege', ' and the user does not choose to start the program using run as administrator.']
['subject':'none','security id':'s-1-5-13','account name':'myaccountname','account domain':'domain', 'logon id':'0x3e6', ' process information':'none', 'new process id':'0x1a53', 'new process name':'c:\windows\system32\net.exe', 'token elevation type':'%%1932','creator process id':'0x1b33', 'process command line':'none', ' token elevation type indicates the type of token that was assigned to the new process in accordance with user account control policy.',' type 1 is a full token with no privileges removed or groups disabled. a full token is only used if user account control is disabled or if the user is the built-in administrator account or a service account.', ' type 2 is an elevated token with no privileges removed or groups disabled. an elevated token is used when user account control is enabled and the user chooses to start the program using run as administrator. an elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege', ' and the user is a member of the administrators group.',' type 3 is a limited token with administrative privileges removed and administrative groups disabled. the limited token is used when user account control is enabled', ' the application does not require administrative privilege', ' and the user does not choose to start the program using run as administrator.']

预期输出:

subject  security id   account name  logon id  process information  new processs id                  new process name  token elevation type  creator process id   process command line
none s-1-5-12 myaccountname 0x3e6 none 0x1a53 c:\windows\system32\ipconfig.exe %%1932 0x1b33 none

如果我可以从数据中获取非键:值对,我知道我可以使用此方法。

pandas list of dictionary to separate columns

最佳答案

您可以使用yaml ,如果 dict 中缺少 value,则添加 None 值,然后删除所有 None对:

print (df)
message
0 {'a':'none','b':'2', ' token.', ' type 1'}

import yaml

print (df.message.apply(yaml.load))
0 {' token.': None, ' type 1': None, 'b': '2', ...
Name: message, dtype: object

df.message = df.message.apply(lambda x: {k: v for k, v in yaml.load(x).items() if v})
print (df)
message
0 {'b': '2', 'a': 'none'}

使用您的数据:

df = pd.DataFrame({'message':["{'subject':'none', 'security id':'s-1-5-12', 'account name':'myaccountname','account domain':'domain', 'logon id':'0x3e6', ' process information':'none', 'new process id':'0x1a53', 'new process name':'c:\windows\system32\ipconfig.exe', 'token elevation type':'%%1932', 'creator process id':'0x1b33','process command line':'none', '  token elevation type indicates the type of token that was assigned to the new process in accordance with user account control policy.', ' type 1 is a full token with no privileges removed or groups disabled.  a full token is only used if user account control is disabled or if the user is the built-in administrator account or a service account.', ' type 2 is an elevated token with no privileges removed or groups disabled.  an elevated token is used when user account control is enabled and the user chooses to start the program using run as administrator.  an elevated token is also used when an application is configured to always require administrative privilege or to always require maimum privilege', ' and the user is a member of the administrators group.',' type 3 is a limited token with administrative privileges removed and administrative groups disabled.  the limited token is used when user account control is enabled', ' the application does not require administrative privilege', ' and the user does not choose to start the program using run as administrator.'}"]})
<小时/>
import yaml
df.message = df.message.apply(lambda x: {k: v for k, v in yaml.load(x).items() if v})

df1 = pd.DataFrame(df.pop('message').values.tolist(), index=df.index)
print (df1)
process information account domain account name creator process id \
0 none domain myaccountname 0x1b33

logon id new process id new process name \
0 0x3e6 0x1a53 c:\windows\system32\ipconfig.exe

process command line security id subject token elevation type
0 none s-1-5-12 none %%1932

编辑:

import yaml
df.message=df.message.str[0].apply(lambda x:{k:v for k,v in yaml.load('{'+x+'}').items() if v})

df1 = pd.DataFrame(df.pop('message').values.tolist(), index=df.index)
print (df1)
process information account domain account name creator process id \
0 none domain myaccountname 0x1b33

logon id new process id new process name \
0 0x3e6 0x1a53 c:\windows\system32\ipconfig.exe

process command line security id subject token elevation type
0 none s-1-5-12 none %%1932

关于python - Windows 事件日志消息转换为字典,然后转换为 pandas 列,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43037416/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com