统计数据Splunk查询

问题描述 投票:3回答:2

我想知道是否有人可以帮助我。

我发表了关于Splunk查询的以下帖子我正在尝试写:

https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html

我收到了一些很好的帮助,但是尽管现在已经集中精力使用eval if语句了几天,但我仍然有同样的问题,“成功”和“不成功”列显示空白结果。所以我想我会把网络扩大一点,请问是否有人可以看看这个,并就如何解决这个问题提供一些指导。

非常感谢和亲切的问候

克里斯

splunk splunk-query
2个回答
0
投票

我尝试使用splunkd-access日志探索你的用例,并想出了一个简单的SPL来帮助你。在这个查询中,我实际上加入了2个搜索的输出,这些搜索聚合了所需的结果(不关心搜索性能)。

试试看。如果您可以访问_internal索引,这将按原样运行。您应该能够轻松地修改它以适合您的事件(例如:用user替换ClientID)。

index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log" 
| stats count as All sum(eval(if(status <= 303,1,0))) as Successful sum(eval(if(status > 303,1,0))) as Unsuccessful by user 
| join user type=left 
    [ search index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log" 
    | chart count BY user status ]

我从splunk社区答案中更新了您的搜索(应该如下所示):

w2_wmf(RequestCompleted)`request.detail.Context="*test" 
| dedup eventId 
| rename request.ClientID as ClientID detail.statusCode AS statusCode 
| stats count as All sum(eval(if(statusCode <= 303,1,0))) as Successful sum(eval(if(statusCode > 303,1,0))) as Unsuccessful by ClientID 
| join ClientID type=left 
    [ search w2_wmf(RequestCompleted)`request.detail.Context="*test" 
    | dedup eventId 
    | rename request.ClientID as ClientID detail.statusCode AS statusCode 
    | chart count BY ClientID statusCode ]

0
投票

我在Splunk回答

https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html?childToView=729492#answer-729492

但使用虚拟编码,它看起来像

w2_wmf(RequestCompleted)`request.detail.Context="*test"
  | dedup eventId
  | rename request.ClientId as ClientID, detail.statusCode as Status
  | eval X_{Status}=1
  | stats count as Total sum(X_*) as X_* by ClientID
  | rename X_* as *

将为您提供ClientID,count,然后为每个找到的状态代码提供一列,并列出该列中每个代码的总和。

在我收集的时候,你不能让这个工作,这个查询应该显示虚拟编码

`index=_internal sourcetype=*access
 | eval X_{status}=1
 | stats count as Total sum(X_*) as X_* by source, user
 | rename X_* as *`

这会产生类似的输出

enter image description here

© www.soinside.com 2019 - 2024. All rights reserved.