Sumologic:如何获得两条消息之间的平均时间差
Sumologic: How to get average time difference between two messages
有一组日志如下:
Log10:[requestId=2][taskId=C][message='End']
Log9: [requestId=2][taskId=C][message='Start']
Log8: [requestId=2][taskId=B][message='End']
Log7: [requestId=1][taskId=B][message='End']
Log6: [requestId=1][taskId=B][message='Start']
Log5: [requestId=1][taskId=A][message='End']
Log4: [requestId=2][taskId=B][message='Start']
Log3: [requestId=2][taskId=A][message='End']
Log2: [requestId=2][taskId=A][message='Start']
Log1: [requestId=1][taskId=A][message='Start']
首先,我想计算完成每个任务所需的平均时间。我能够通过交易来做到这一点:
* | concat(requestId,":",taskId) as transactionKey | transactionize transactionKey avg(_group_duration) group by taskId
现在,我想知道在一项任务完成和下一项任务开始之间发生了多少时间(平均)。
在这个具体的例子中,我想要的输出是:
((Log9 - Log8) + (Log4 - Log3) + (Log6 - Log5)) / 3
如有任何线索,我们将不胜感激。
感谢@chadoliver,他向我指出了 diff 运算符。
* | keyvalue auto | diff _messagetime by requestId | where message = "End" | avg(_diff) | ceil(_avg)
您可以使用 regex、avg 和 group by 函数来获得聚合结果。
_sourceCategory="dev/test-app"
and "[Error]"
and "Error occurred"
| formatDate(_receiptTime, "yyyy-MM-dd") as date
| parse regex field=_raw "Error occurred. Exception:(?<message> \w.*)" nodrop
| replace(message,/my custom error message: ([0-9A-Fa-f\-]{36})/,"my custom error message") as replaceMessage
| parse regex field=_raw "\[Error](?<otherMessage> \w.*)" nodrop
| if (replaceMessage = "", otherMessage, replaceMessage ) as consolidatedMessage
| if (length(consolidatedMessage)> 150,substring(consolidatedMessage,0, 150),consolidatedMessage) as finalMessage
| count date, finalMessage
| transpose row data column finalMessage
有一组日志如下:
Log10:[requestId=2][taskId=C][message='End']
Log9: [requestId=2][taskId=C][message='Start']
Log8: [requestId=2][taskId=B][message='End']
Log7: [requestId=1][taskId=B][message='End']
Log6: [requestId=1][taskId=B][message='Start']
Log5: [requestId=1][taskId=A][message='End']
Log4: [requestId=2][taskId=B][message='Start']
Log3: [requestId=2][taskId=A][message='End']
Log2: [requestId=2][taskId=A][message='Start']
Log1: [requestId=1][taskId=A][message='Start']
首先,我想计算完成每个任务所需的平均时间。我能够通过交易来做到这一点:
* | concat(requestId,":",taskId) as transactionKey | transactionize transactionKey avg(_group_duration) group by taskId
现在,我想知道在一项任务完成和下一项任务开始之间发生了多少时间(平均)。
在这个具体的例子中,我想要的输出是:
((Log9 - Log8) + (Log4 - Log3) + (Log6 - Log5)) / 3
如有任何线索,我们将不胜感激。
感谢@chadoliver,他向我指出了 diff 运算符。
* | keyvalue auto | diff _messagetime by requestId | where message = "End" | avg(_diff) | ceil(_avg)
您可以使用 regex、avg 和 group by 函数来获得聚合结果。
_sourceCategory="dev/test-app"
and "[Error]"
and "Error occurred"
| formatDate(_receiptTime, "yyyy-MM-dd") as date
| parse regex field=_raw "Error occurred. Exception:(?<message> \w.*)" nodrop
| replace(message,/my custom error message: ([0-9A-Fa-f\-]{36})/,"my custom error message") as replaceMessage
| parse regex field=_raw "\[Error](?<otherMessage> \w.*)" nodrop
| if (replaceMessage = "", otherMessage, replaceMessage ) as consolidatedMessage
| if (length(consolidatedMessage)> 150,substring(consolidatedMessage,0, 150),consolidatedMessage) as finalMessage
| count date, finalMessage
| transpose row data column finalMessage