我有一个日志文件,记录处理文件的开始和结束时间。条目包含如下所示的字符串:
=============== STARTED PROCESSING FILE filename at Thu Jul 19 00:03:55 2018 EDT===============
=============== FINISHED PROCESSING FILE filename at Thu Jul 19 00:04:05 2018 EDT===============
最初我使用_time提出了一个查询:
processing.log "FINISHED PROCESSING FILE" OR "STARTED PROCESSING FILE" | rex field=_raw "(?<filename>\S*)" | stats count first(_time) as start last(_time) as finished by filename | eval duration = abs( finished - start)
这似乎工作得很好,直到我意识到完成和开始的时间相隔几小时即使实际处理到10秒(如上例所示。所以现在我正在尝试这个查询:
processing.log "FINISHED PROCESSING FILE" OR "STARTED PROCESSING FILE" | rex field=_raw "(?<filename>\S*) at (?<ptime>.*) EDT" | eval stime=strptime(ptime,'%a %B %d %Y %H:%M:%S')| stats count first(stime) as start last(stime) as finished by filename | eval duration = abs( finished - start)
但是,它没有提供显示每个文件名的处理持续时间的所需结果。我做错了什么/我该如何解决这个问题?
而不是...| stats count first(stime) as start last(stime) as finished by filename |eval duration = abs( finished - start)尝试... | stats count range(stime) as duration by filename