Splunk:合并来自多行的字段
Splunk: combine fields from multiple lines
上下文
假设我有这样结构的日志
TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers} # I want this
TID: http-incoming-972453 >> Accept: application/json {org.apache.synapse.transport.http.headers}
TID: http-incoming-972453 >> Host: some.organization.com {org.apache.synapse.transport.http.headers}
.....
TID: http-outgoing-8816 >> POST /oauth2/token HTTP/1.1 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Content-Type: application/x-www-form-urlencoded {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Transfer-Encoding: chunked {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Host: some.other.organization.intra:9444 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Connection: Keep-Alive {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> User-Agent: Synapse-PT-HttpComponents-NIO {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
.....
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers} # with this
TID: http-incoming-972453 << X-Frame-Options: DENY {org.apache.synapse.transport.http.headers}
.....
并且我已经调整 props.conf 这样
TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers}
最终索引到以下字段
- httpRequestId:
972453
- 资源名称:
/token
和
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
和
- httpRequestId:
972453
- http状态:
200
我正在寻找一种计算请求的方法,由 httpStatus 和 ressourceName 使用 httpRequestId[=70 聚合=] 作为连接
尝试次数
由于有关 ressourceName 和 httpStatus 的信息发生在不同的事件上,我想到了使用 join。这不会给出任何结果
index=* role="gw" httpAction="incoming" | join type=outer httpRequestId [fields ressourceName,httpStatus] | stats count by ressourceName,httpStatus
在阅读 Splunk 文档时,我也遇到了 selfjoin,其中只有部分结果
index=* role="gw" httpAction="incoming" | selfjoin httpRequestId | stats count by ressourceName,httpStatus
如何组合多个事件的字段以得到类似
的结果
/somewhere 200 30
/somewhere 403 1
/somewhere/else 200 15
您可能想要查看使用事务命令。
index=* role="gw" httpAction="incoming" | transaction httpRequestId | stars count by ressourceName,httpStatus
根据您要分析的数据量和时间范围,交易或加入就足够了。
您对 join 的使用不正确。子搜索必须是有效的搜索,以“搜索”或“|”开头。
尝试 stats 命令。
index=foo role=gw httpAction="Incoming
| stats values(*) as * by httpRequestId
上下文
假设我有这样结构的日志
TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers} # I want this
TID: http-incoming-972453 >> Accept: application/json {org.apache.synapse.transport.http.headers}
TID: http-incoming-972453 >> Host: some.organization.com {org.apache.synapse.transport.http.headers}
.....
TID: http-outgoing-8816 >> POST /oauth2/token HTTP/1.1 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Content-Type: application/x-www-form-urlencoded {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Transfer-Encoding: chunked {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Host: some.other.organization.intra:9444 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Connection: Keep-Alive {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> User-Agent: Synapse-PT-HttpComponents-NIO {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
.....
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers} # with this
TID: http-incoming-972453 << X-Frame-Options: DENY {org.apache.synapse.transport.http.headers}
.....
并且我已经调整 props.conf 这样
TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers}
最终索引到以下字段
- httpRequestId:
972453 - 资源名称:
/token
和
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
和
- httpRequestId:
972453 - http状态:
200
我正在寻找一种计算请求的方法,由 httpStatus 和 ressourceName 使用 httpRequestId[=70 聚合=] 作为连接
尝试次数
由于有关 ressourceName 和 httpStatus 的信息发生在不同的事件上,我想到了使用 join。这不会给出任何结果
index=* role="gw" httpAction="incoming" | join type=outer httpRequestId [fields ressourceName,httpStatus] | stats count by ressourceName,httpStatus
在阅读 Splunk 文档时,我也遇到了 selfjoin,其中只有部分结果
index=* role="gw" httpAction="incoming" | selfjoin httpRequestId | stats count by ressourceName,httpStatus
如何组合多个事件的字段以得到类似
的结果/somewhere 200 30
/somewhere 403 1
/somewhere/else 200 15
您可能想要查看使用事务命令。
index=* role="gw" httpAction="incoming" | transaction httpRequestId | stars count by ressourceName,httpStatus
根据您要分析的数据量和时间范围,交易或加入就足够了。
您对 join 的使用不正确。子搜索必须是有效的搜索,以“搜索”或“|”开头。
尝试 stats 命令。
index=foo role=gw httpAction="Incoming
| stats values(*) as * by httpRequestId