通过重命名搜索元素来格式化 splunk 查询
format splunk query by renaming search elements
对于我正在尝试使用的 splunk 查询,我需要一些帮助。
此查询可以很好地收集我需要的信息:
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="1234567810" OR LinkedAccountId="123456789" ProductName="Amazon Elastic Compute Cloud" | stats sum(UnBlendedCost) AS Cost by ResourceId,UsageType,user_Name,user_Engagement
但是我想稍微改进一下。我想将 user_Engagement 表示为参与,将 user_Name 表示为“资源名称”。
我尝试使用 AS 来更改输出,就像我将 UnBlendedCost 更改为“Cost”一样。但是当我这样做时,它会终止我的查询,并且不会返回任何内容。例如,如果我这样做:
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="123456789" OR LinkedAccountId="1234567810" ProductName="Amazon Elastic Compute Cloud" | stats sum(UnBlendedCost) AS Cost by ResourceId AS “Resource Name”,UsageType,user_Name,user_Engagement AS “Engagement”
或
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="123456789" OR LinkedAccountId="1234567819" ProductName="Amazon Elastic Compute Cloud" ResourceID AS “Resource Name” user_Engagement AS “Engagement” | stats sum(UnBlendedCost) AS Cost by ResourceId AS “Resource Name”,UsageType,user_Name,user_Engagement AS “Engagement”
查询终止,未返回任何信息。如何重新格式化 'by' 子句后列出的搜索元素?
使用|重命名命令。您只能使用 AS 重命名正在 |stats 中转换的字段。
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="1234567810" OR LinkedAccountId="123456789" ProductName="Amazon Elastic Compute Cloud"
| stats sum(UnBlendedCost) AS Cost by ResourceId,UsageType,user_Name,user_Engagement
| rename user_Name as "Resource Name" user_Engagement as Engagement
对于我正在尝试使用的 splunk 查询,我需要一些帮助。
此查询可以很好地收集我需要的信息:
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="1234567810" OR LinkedAccountId="123456789" ProductName="Amazon Elastic Compute Cloud" | stats sum(UnBlendedCost) AS Cost by ResourceId,UsageType,user_Name,user_Engagement
但是我想稍微改进一下。我想将 user_Engagement 表示为参与,将 user_Name 表示为“资源名称”。
我尝试使用 AS 来更改输出,就像我将 UnBlendedCost 更改为“Cost”一样。但是当我这样做时,它会终止我的查询,并且不会返回任何内容。例如,如果我这样做:
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="123456789" OR LinkedAccountId="1234567810" ProductName="Amazon Elastic Compute Cloud" | stats sum(UnBlendedCost) AS Cost by ResourceId AS “Resource Name”,UsageType,user_Name,user_Engagement AS “Engagement”
或
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="123456789" OR LinkedAccountId="1234567819" ProductName="Amazon Elastic Compute Cloud" ResourceID AS “Resource Name” user_Engagement AS “Engagement” | stats sum(UnBlendedCost) AS Cost by ResourceId AS “Resource Name”,UsageType,user_Name,user_Engagement AS “Engagement”
查询终止,未返回任何信息。如何重新格式化 'by' 子句后列出的搜索元素?
使用|重命名命令。您只能使用 AS 重命名正在 |stats 中转换的字段。
index=prd_aws_billing (source="/*2017-12.csv") LinkedAccountId="1234567810" OR LinkedAccountId="123456789" ProductName="Amazon Elastic Compute Cloud"
| stats sum(UnBlendedCost) AS Cost by ResourceId,UsageType,user_Name,user_Engagement
| rename user_Name as "Resource Name" user_Engagement as Engagement