我需要发现数据中的异常情况。我拥有的数据是某些电影的个人观看次数。我需要找到在一段较短的时间间隔(例如 1 小时)内异常受欢迎的内容。并检查几周的数据。
一个选项是每小时手动运行一次查询
``` Run this over 60m time window ```
index=mydata
| top limit=100 movieId
显然我不想为一周的数据执行 24 * 7 = 168 次。
如何将数据分入时间桶,并通过 movieId 获取百分比?这就是我想到的:
``` Run this over 1+ week ```
index=mydata
| bin span=60m _time
| top limit=100 movieId, _time
这对我没有帮助,因为
top重申一下,您正在使用 top 来生成百分比。但是,您希望按单位时间计算和查看该百分比。下面的 SPL 是一个随处运行的示例,其中有解释每一行的内联注释。您要查找的逻辑位于 bin 命令行之后。结果是每部电影每小时的百分比。
| gentimes start=9/1/23 end=9/27/23 increment=5m
| eval _time = starttime
| eval ViewCount = random()%100
| eval Movie = random()%5
| eval MovieName = "Movie". "-" .Movie
| fields _time MovieName ViewCount
```` everything above is to generate the random data needed for 5 movie examples over various time stamps ```
| bin _time span=1h ``` break down _time into one hour bins ```
| eventstats sum(ViewCount) AS SumCount BY _time ``` Add an event to the data that sums up all the view counts within those _time bins ```
| eval Pct = round('ViewCount'/'SumCount'*100,1) ``` Each movie now has its own count and carries a summary figure. We calculate a percentage and round it to one decimal place ```
| timechart span=1h sum(Pct) BY MovieName ``` To compare movie percentages in one hour spans of time (matches your bin span) ```