我想知道是否有人可以帮助我。
我发表了关于Splunk查询的以下帖子我正在尝试写:
https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html
我收到了一些很好的帮助,但是尽管现在已经集中精力使用eval if语句了几天,但我仍然有同样的问题,“成功”和“不成功”列显示空白结果。所以我想我会把网络扩大一点,请问是否有人可以看看这个,并就如何解决这个问题提供一些指导。
非常感谢和亲切的问候
克里斯
我尝试使用splunkd-access日志探索你的用例,并想出了一个简单的SPL来帮助你。在这个查询中,我实际上加入了2个搜索的输出,这些搜索聚合了所需的结果(不关心搜索性能)。
试试看。如果您可以访问_internal
索引,这将按原样运行。您应该能够轻松地修改它以适合您的事件(例如:用user
替换ClientID
)。
index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log"
| stats count as All sum(eval(if(status <= 303,1,0))) as Successful sum(eval(if(status > 303,1,0))) as Unsuccessful by user
| join user type=left
[ search index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log"
| chart count BY user status ]
我从splunk社区答案中更新了您的搜索(应该如下所示):
w2_wmf(RequestCompleted)`request.detail.Context="*test"
| dedup eventId
| rename request.ClientID as ClientID detail.statusCode AS statusCode
| stats count as All sum(eval(if(statusCode <= 303,1,0))) as Successful sum(eval(if(statusCode > 303,1,0))) as Unsuccessful by ClientID
| join ClientID type=left
[ search w2_wmf(RequestCompleted)`request.detail.Context="*test"
| dedup eventId
| rename request.ClientID as ClientID detail.statusCode AS statusCode
| chart count BY ClientID statusCode ]
我在Splunk回答
但使用虚拟编码,它看起来像
w2_wmf(RequestCompleted)`request.detail.Context="*test"
| dedup eventId
| rename request.ClientId as ClientID, detail.statusCode as Status
| eval X_{Status}=1
| stats count as Total sum(X_*) as X_* by ClientID
| rename X_* as *
将为您提供ClientID,count,然后为每个找到的状态代码提供一列,并列出该列中每个代码的总和。
在我收集的时候,你不能让这个工作,这个查询应该显示虚拟编码
`index=_internal sourcetype=*access
| eval X_{status}=1
| stats count as Total sum(X_*) as X_* by source, user
| rename X_* as *`
这会产生类似的输出