Splunk 搜索消息是否为 x 超过 5 分钟
Splunk search if message is x for more than 5 minutes
我在每个用户搜索的 splunk 数据中有两条特定消息。
- 在屏幕上
- 离屏
任何人都知道我如何在 splunk 中搜索 message="off-screen" 超过 5 分钟且每 2 分钟检查一次查询的用户吗?
index="document" (message="off-screen")
我的查询将 运行 每 2 分钟一次,因此我想检查屏幕外消息的事件。然后下次检查自屏幕消息被触发以来是否已经过去 5 分钟,并且在该时间段内没有为该用户触发屏幕上的事件。
这可能吗?
如果你想找到5分钟内没有屏幕消息的屏幕外消息,那么你可以使用交易。假设您的原始数据是:
| makeresults count=10
| streamstats count
| eval _time=_time-(count*60)
| eval message=case(count=1,"on-screen",count=2,"on-screen",count=5,"off-screen",count=8,"off-screen",count=9,"on-screen",count=10,"on-screen")
| eval user=case(count=1,"Alice",count=2,"Bob",count=5,"Alice",count=8,"Bob",count=9,"Alice",count=10,"Bob")
| where NOT isnull(user)
| table _time user message
看起来像这样:
_time
user
message
2021-05-28 13:57:50
Alice
on-screen
2021-05-28 13:56:50
Bob
on-screen
2021-05-28 13:53:50
Alice
off-screen
2021-05-28 13:50:50
Bob
off-screen
2021-05-28 13:49:50
Alice
on-screen
2021-05-28 13:48:50
Bob
on-screen
你需要一个交易,收集用户在5分钟内的屏幕上和屏幕外的共同响应。但是您需要将孤儿保留在屏幕外消息没有相应屏幕消息的地方。然后你过滤掉同时拥有这两者的交易,你只得到孤儿:
message="off-screen" OR message="on-screen"
| transaction user maxpause=5m keeporphans=true startswith="message=off-screen" endswith="message=on-screen"
| where mvcount(message)<2
| table _time user message
这将产生以下输出:
_time
user
message
2021-05-28 13:50:50
Bob
off-screen
这是一个可运行的例子:
| makeresults count=10
| streamstats count
| eval _time=_time-(count*60)
| eval message=case(count=1,"on-screen",count=2,"on-screen",count=5,"off-screen",count=8,"off-screen",count=9,"on-screen",count=10,"on-screen")
| eval user=case(count=1,"Alice",count=2,"Bob",count=5,"Alice",count=8,"Bob",count=9,"Alice",count=10,"Bob")
| where NOT isnull(user)
| table _time user message
| search message="off-screen" OR message="on-screen"
| transaction user maxpause=5m keeporphans=true startswith="message=off-screen" endswith="message=on-screen"
| where mvcount(message)<2
| table _time user message
我在每个用户搜索的 splunk 数据中有两条特定消息。
- 在屏幕上
- 离屏
任何人都知道我如何在 splunk 中搜索 message="off-screen" 超过 5 分钟且每 2 分钟检查一次查询的用户吗?
index="document" (message="off-screen")
我的查询将 运行 每 2 分钟一次,因此我想检查屏幕外消息的事件。然后下次检查自屏幕消息被触发以来是否已经过去 5 分钟,并且在该时间段内没有为该用户触发屏幕上的事件。 这可能吗?
如果你想找到5分钟内没有屏幕消息的屏幕外消息,那么你可以使用交易。假设您的原始数据是:
| makeresults count=10
| streamstats count
| eval _time=_time-(count*60)
| eval message=case(count=1,"on-screen",count=2,"on-screen",count=5,"off-screen",count=8,"off-screen",count=9,"on-screen",count=10,"on-screen")
| eval user=case(count=1,"Alice",count=2,"Bob",count=5,"Alice",count=8,"Bob",count=9,"Alice",count=10,"Bob")
| where NOT isnull(user)
| table _time user message
看起来像这样:
| _time | user | message |
|---|---|---|
| 2021-05-28 13:57:50 | Alice | on-screen |
| 2021-05-28 13:56:50 | Bob | on-screen |
| 2021-05-28 13:53:50 | Alice | off-screen |
| 2021-05-28 13:50:50 | Bob | off-screen |
| 2021-05-28 13:49:50 | Alice | on-screen |
| 2021-05-28 13:48:50 | Bob | on-screen |
你需要一个交易,收集用户在5分钟内的屏幕上和屏幕外的共同响应。但是您需要将孤儿保留在屏幕外消息没有相应屏幕消息的地方。然后你过滤掉同时拥有这两者的交易,你只得到孤儿:
message="off-screen" OR message="on-screen"
| transaction user maxpause=5m keeporphans=true startswith="message=off-screen" endswith="message=on-screen"
| where mvcount(message)<2
| table _time user message
这将产生以下输出:
| _time | user | message |
|---|---|---|
| 2021-05-28 13:50:50 | Bob | off-screen |
这是一个可运行的例子:
| makeresults count=10
| streamstats count
| eval _time=_time-(count*60)
| eval message=case(count=1,"on-screen",count=2,"on-screen",count=5,"off-screen",count=8,"off-screen",count=9,"on-screen",count=10,"on-screen")
| eval user=case(count=1,"Alice",count=2,"Bob",count=5,"Alice",count=8,"Bob",count=9,"Alice",count=10,"Bob")
| where NOT isnull(user)
| table _time user message
| search message="off-screen" OR message="on-screen"
| transaction user maxpause=5m keeporphans=true startswith="message=off-screen" endswith="message=on-screen"
| where mvcount(message)<2
| table _time user message