我在 Splunk 中有以下数据结构。每个 JSON 块代表一个 splunk 行或记录
{
"startTime": "2023-09-09T05:10:16.2360649Z",
"version": "1.0.0",
"duration": 64,
"status": "Allow",
"method": "POST",
"recordId": "PF6ZN3ALJS9S",
"setSpans": [0.31, 0.98, 0.9, 0.49, 1.02, 1.07, 0.41, 0.5, 1.01, 0.99, 0.49],
"getSpans": [0.48, 1.76, 0.41, 0.31, 0.41, 0.31, 0.43, 0.91, 0.32, 0.4, 0.9]
}
{
"startTime": "2023-09-09T05:10:16.6549716Z",
"version": "1.0.0",
"duration": 34,
"status": "OK",
"method": "GET",
"recordId": "CU5WJKHHAAKM",
"setSpans": [1.04],
"getSpans": [0.46, 1.03, 0.41, 0.97, 0.41, 0.34, 0.94, 0.4, 0.39, 0.95]
}
{
"startTime": "2023-09-09T05:10:17.6927429Z",
"version": "1.0.0",
"duration": 75,
"status": "Allow",
"method": "POST",
"recordId": "764YR7FK7EZQ",
"setSpans": [0.98, 0.9, 1.04, 1.01, 0.99, 1.01, 1.0, 1.02],
"getSpans": [1.11, 1.82, 0.41, 0.31, 1.08, 0.37, 1.02, 0.33, 1.13, 0.9, 1.0, 0.93, 0.34, 0.33, 0.99, 0.9]
}
有两个字段
setSpansgetSpans我需要分别计算这些数组的项之和。我需要使用
eval或者可能是类似下面的表格。
recordId | totalSetSpan | totalGetSpan
-------------------------------------------
PF6ZN3ALJS9S | 7.68 | 5.74
-------------------------------------------
CU5WJKHHAAKM | 1.04 | 5.35
-------------------------------------------
764YR7FK7EZQ | 7.95 | 12.07
我需要能够运行如下查询。
... my search ... | ... eval or stats or something to get setSpanSum and getSpanSum... | timechart span=1m p99(setSpanSum)
我希望我能够正确解释我的问题。解决此问题的任何帮助或方向都会有很大帮助。
Splunk 可以将 JSON 数组视为多值字段,但要添加多值字段的内容,您需要
mvstats| makeresults format=json data="[ {
\"startTime\": \"2023-09-09T05:10:16.2360649Z\",
\"version\": \"1.0.0\",
\"duration\": 64,
\"status\": \"Allow\",
\"method\": \"POST\",
\"recordId\": \"PF6ZN3ALJS9S\",
\"setSpans\": [0.31, 0.98, 0.9, 0.49, 1.02, 1.07, 0.41, 0.5, 1.01, 0.99, 0.49],
\"getSpans\": [0.48, 1.76, 0.41, 0.31, 0.41, 0.31, 0.43, 0.91, 0.32, 0.4, 0.9]
},
{
\"startTime\": \"2023-09-09T05:10:16.6549716Z\",
\"version\": \"1.0.0\",
\"duration\": 34,
\"status\": \"OK\",
\"method\": \"GET\",
\"recordId\": \"CU5WJKHHAAKM\",
\"setSpans\": [1.04],
\"getSpans\": [0.46, 1.03, 0.41, 0.97, 0.41, 0.34, 0.94, 0.4, 0.39, 0.95]
},
{
\"startTime\": \"2023-09-09T05:10:17.6927429Z\",
\"version\": \"1.0.0\",
\"duration\": 75,
\"status\": \"Allow\",
\"method\": \"POST\",
\"recordId\": \"764YR7FK7EZQ\",
\"setSpans\": [0.98, 0.9, 1.04, 1.01, 0.99, 1.01, 1.0, 1.02],
\"getSpans\": [1.11, 1.82, 0.41, 0.31, 1.08, 0.37, 1.02, 0.33, 1.13, 0.9, 1.0, 0.93, 0.34, 0.33, 0.99, 0.9]
}]"
``` Above creates test data. Remove IRL ```
``` Convert the setSpans array into a Splunk multi-value field ```
| eval mvSetSpans=json_array_to_mv(setSpans, false())
``` Add the contents of the MV field ```
| mvstats sum mvSetSpans as totalSetSpan
``` Repeat for getSpans ```
| eval mvGetSpans=json_array_to_mv(getSpans, false())
| mvstats sum mvGetSpans as totalGetSpan
``` Display the results ```
| table recordId totalSetSpan totalGetSpan