带有变量的 Splunk Cloud 搜索查询没有 return 结果
Splunk Cloud search query with variable does not return results
我有一个查询没有 return 结果并且没有显示错误(与 where 和搜索命令相同):
"ExtendedProperties.PrCode"="myProductName"
| eval myversion="12.916"| where "ExtendedProperties.ProductVersion"=myversion
没有评估的查询 returns 结果:
"ExtendedProperties.PrCode"="myProductName"
| search "ExtendedProperties.ProductVersion"="12.916"
产品版本的最后三位数字是月份(9 月)和日期(16),我的最终目标是使用 now() 函数从当前日期中提取它们。这将消除每天更新查询的需要。
不幸的是,此查询也没有 returning 结果:
"ExtendedProperties.PrCode"="myProductName"
| eval month = ltrim(tostring(strftime(now(),"%m")),"0")
| eval day = strftime(now(),"%d")
| eval version="12." + month + day
| where "ExtendedProperties.ProductVersion"=version
这是一些示例数据:
{"Timestamp":"2020-12-14T14:37:00.2662745Z","Categories":["someCategoryString"],"Metadata":["someMetadataString"],"ExtendedProperties":{"MachineId":"SomeMachineId","ProductVersion":"12.916","PrCode":"MyProductName","ProductType":"1","Type":"ProductUsed","Source":"SomeSourceString","SessionId":"SomeGuid","TimeStamp":"2020-12-14T14:36:56.7086819Z","Environment":"SomeEnvironment"}}
这 return 个结果:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"="12.1219"
但是,当我用具有相同值的版本变量替换字符串“12.1219”时(在搜索结束时),没有找到结果:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"=version
预期输出是一条包含预期版本(今天为 12.1219)的记录。
不要使用 eval 和 where 或 eval 和 search
放在初始搜索中:
"ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.916"
让 Splunk 为您完成工作 - 并让它以最高效的方式完成:)
反映问题更新的编辑:
尝试这样的事情:
index=ndx "ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.*"
| eval monthday=strftime(now(),"%m%d")
| where match("ExtendedProperties.ProductVersion",monthday)
首先,不要使用两个 eval,一个就可以:)
其次,了解各种函数及其参数,例如strftime and common time formats. Or match
我发现如果没有正确提取字段,查询可以return没有结果。因此,对于此查询,结果如预期所示:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day | rex "ProductVersion[\\":]*(?<ExtractedProductVersion>[^\\":]*)" | where ExtractedProductVersion=version
我有一个查询没有 return 结果并且没有显示错误(与 where 和搜索命令相同):
"ExtendedProperties.PrCode"="myProductName"
| eval myversion="12.916"| where "ExtendedProperties.ProductVersion"=myversion
没有评估的查询 returns 结果:
"ExtendedProperties.PrCode"="myProductName"
| search "ExtendedProperties.ProductVersion"="12.916"
产品版本的最后三位数字是月份(9 月)和日期(16),我的最终目标是使用 now() 函数从当前日期中提取它们。这将消除每天更新查询的需要。 不幸的是,此查询也没有 returning 结果:
"ExtendedProperties.PrCode"="myProductName"
| eval month = ltrim(tostring(strftime(now(),"%m")),"0")
| eval day = strftime(now(),"%d")
| eval version="12." + month + day
| where "ExtendedProperties.ProductVersion"=version
这是一些示例数据:
{"Timestamp":"2020-12-14T14:37:00.2662745Z","Categories":["someCategoryString"],"Metadata":["someMetadataString"],"ExtendedProperties":{"MachineId":"SomeMachineId","ProductVersion":"12.916","PrCode":"MyProductName","ProductType":"1","Type":"ProductUsed","Source":"SomeSourceString","SessionId":"SomeGuid","TimeStamp":"2020-12-14T14:36:56.7086819Z","Environment":"SomeEnvironment"}}
这 return 个结果:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"="12.1219"
但是,当我用具有相同值的版本变量替换字符串“12.1219”时(在搜索结束时),没有找到结果:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"ProductType\":\"1\",\"Type\":\"ProductUsed\",\"Source\":\"SomeSourceString\",\"SessionId\":\"SomeGuid\",\"TimeStamp\":\"2020-12-14T14:36:56.7086819Z\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day|spath | search "ExtendedProperties.ProductVersion"=version
预期输出是一条包含预期版本(今天为 12.1219)的记录。
不要使用 eval 和 where 或 eval 和 search
放在初始搜索中:
"ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.916"
让 Splunk 为您完成工作 - 并让它以最高效的方式完成:)
反映问题更新的编辑:
尝试这样的事情:
index=ndx "ExtendedProperties.PrCode"="myProductName" "ExtendedProperties.ProductVersion"="12.*"
| eval monthday=strftime(now(),"%m%d")
| where match("ExtendedProperties.ProductVersion",monthday)
首先,不要使用两个 eval,一个就可以:)
其次,了解各种函数及其参数,例如strftime and common time formats. Or match
我发现如果没有正确提取字段,查询可以return没有结果。因此,对于此查询,结果如预期所示:
|makeresults | eval _raw = "{\"Timestamp\":\"2020-12-14T14:37:00.2662745Z\",\"Categories\":[\"someCategoryString\"],\"Metadata\":[\"someMetadataString\"],\"ExtendedProperties\":{\"MachineId\":\"SomeMachineId\",\"ProductVersion\":\"12.1219\",\"PrCode\":\"MyProductName\",\"Environment\":\"SomeEnvironment\"}}", month = ltrim(tostring(strftime(now(),"%m")),"0"), day = strftime(now(),"%d"),version="12."+month+day | rex "ProductVersion[\\":]*(?<ExtractedProductVersion>[^\\":]*)" | where ExtractedProductVersion=version