1st query
ns=mynamespace* app_name=A-api API=GET_INITIAL_DATA NAME=*
2nd query
ns=mynamespace* app_name=B-api API=GET_FINAL_DATA NAME=*
我有上述2个查询。每个都在查询微服务的日志。但是我不想单独调用它们并希望有一个查询。我希望能够根据名称将第一查询与第二查询进行匹配。我正在尝试获取百分比以及总数。尝试实现以下内容:
GET_INITIAL_DATA Total count: 10000000
GET_FINAL_DATA count that matched NAME in 1st call : 8000000
Matching call Percentage : 80%
Non Matching call Percentage : 20%
并在图表中显示,在三个月内每周划分。有没有办法做到这一点?我期望有数以百万计的记录,因此对我而言,进行第一个查询,获取所有名称(数百万个em)然后使用该数据进行第二次调用是没有意义的。请协助。谢谢。
您可以尝试以下查询并进行转置以实现此目的
GET_INITIAL_DATA Total count: 10000000
GET_FINAL_DATA count that matched NAME in 1st call : 8000000
Matching call Percentage : 80%
Non Matching call Percentage : 20%
查询:
(ns=mynamespace* app_name=A-api API=GET_INITIAL_DATA NAME=*) OR (ns=mynamespace* app_name=B-api API=GET_FINAL_DATA NAME=*)
|stats values(app_name) as Apps_list dc(app_name) as Apps_no by NAME
|search Apps_list=*GET_INITIAL_DATA*
|eval match=if(Apps_no=2,"Match",null())
|table NAME,Apps_no,match,Apps_list
|stats dc(NAME) as GET_INITIAL_DATA count(match) as GET_FINAL_DATA
|eval Match_call=round((GET_FINAL_DATA/GET_INITIAL_DATA),0)
|eval nonmatch_call=(100-Match_call)."%"
|eval Match_call = Match_call."%"
|rename GET_FINAL_DATA as "GET_INITIAL_DATA Total count" GET_FINAL_DATA as "GET_FINAL_DATA count that matched NAME in 1st call" Match_call as "Matching call Percentage" nonmatch_call as "Non Matching call Percentage"