如何在 splunk 中附加两个查询?

How to append two queries in splunk?

我有以下两个问题:

host="abc*" sourcetype="xyz" Request="some.jsp" | stats count as "TotalCount" by Request

这给出了请求总数

host="abc*" sourcetype="xyz" Request="some.jsp" | where TimeTaken < 6000 | stats count as "ReqLT6Sec" by Request

这给出了响应时间少于 6 秒的请求数。

我的要求是通过 运行 单个查询获得这两个结果。我尝试按如下方式附加查询:

host="abc*" sourcetype="xyz" Request="some.jsp" | stats count as "TotalCount" by Request | append [search host="abc*" sourcetype="xyz" Request="some.jsp" | where TimeTaken < 6000 | stats count as "ReqLT6Sec" by Request]

这适用于上面的简单请求,如单个 jsp,但如果我对请求使用通配符并且数据很大,"ReqLT6Sec" 的计数与 [= 获得的结果不匹配=35=] 单个查询运行。感谢您以更简单的方式获得此帮助。

谢谢。

您可以像这样合并两个搜索。

host="abc*" sourcetype="xyz" Request="some.jsp"
| stats count as "TotalCount" count(eval(TimeTaken < 6000)) as ReqLT6Sec by Request