我有以下 Splunk 搜索,它从我的数据集中收集不同的状态:
some type of search | eval Status = (REJECT_REASON) | bucket _time span=day | stats count by Status这是我的数据集的示例:
CorrelationId Reject_Reason DATE_TIME
12345679 Accepted 20231030 14:00:00
12345679 Accepted 20231030 14:00:00
12345679 Accepted 20231030 14:00:00
12345679 Sent 20231030 00:00:00
12345679 Sent 20231030 00:00:00
12345679 Sent 20231030 00:00:00
99399394 Rejected 20231030 00:00:00
99399394 Rejected 20231030 00:00:00
88393933 Accepted 20231030 14:00:00
88393933 Sent 20231030 00:00:00
33454545 Rejected 20231030 00:00:00
我只想获取不同correlationId的状态,这意味着使用示例数据集我只会返回4个correlationId的计数以及最新日期的状态。
期望结果示例:
Status Count
Accepted 2
Rejected 2
我尝试使用“dedup correlationId”,但当我将其添加到搜索中时,它没有返回任何结果。
根据最新(截至 11 月 1 日)要求,我的查询如下:
|makeresults count=11 | streamstats count
| eval CorrelationID=case(count >=1 and count<=6, 12345679, count in (7,8), 99399394, count in (9,10), 88393933, count=11, 33454545),
Reject_Reason=case(count in (1,2,3) OR count=9, "Accepted", count in (4,5,6) or count=10, "Sent", count in (7,8) or count=11, "Rejected"),
DATE_TIME=case(count in (1,2,3) or count=9, "20231030 14:00:00", true(), "20231030 00:00:00" )
| fields - _time, count
``` The above is test data setup ```
| eval Status=Reject_Reason
| eventstats max(DATE_TIME) as mx by CorrelationID
| where DATE_TIME=mx
| dedup CorrelationID, Status
| stats dc(CorrelationID) as "Count" by Status