在 splunk 中计数和求和

Count and sum in splunk

我有这组数据:

name    fruit   location

mary    apple   east

ben pear    east

peter   pear    east

ben apple   north

ben mango   north

peter   mango   north

mary    orange  north

alice   pear    north

janet   pear    north

janet   mango   west

janet   mango   west

peter   mango   west

janet   pear    west

我想获取字段: name, 发往name的水果数量, 发往name位置的水果数量

我试过了:

|stats sum(count) as scount_by_name by name

|stats count as count_by_namelocation (......filled with other formulas......) by name location

|Table count_by_namelocation scount_by_name

但是它不起作用,scount_by_name 是空的,正确的语法是什么?

这里有几个问题。

第一个 stats 命令试图对 count 字段求和,但该字段不存在。这就是 scount_by_name 为空的原因。

然而,更重要的是,stats是一个转换命令。这意味着它的输出与其输入有很大不同。具体来说,传递给第二个 stats 的唯一字段是名称和 scount_by_name,因此第二个 stats 看不到位置字段,因此它不能计算任何内容。

连续 stats 命令的一个解决方法是使用 streamstatseventstats,它们不是转换命令。

这个 运行-anywhere 示例应该说明。

|  makeresults 
|  eval _raw="name    fruit   location
mary    apple   east
ben    pear    east
peter   pear    east
ben    apple   north
ben    mango   north
peter   mango   north
mary    orange  north
alice   pear    north
janet   pear    north
janet   mango   west
janet   mango   west
peter   mango   west
janet   pear    west" 
| multikv forceheader=1
| streamstats count as scount_by_name by name
| streamstats count as count_by_namelocation by name location
| table count_by_namelocation scount_by_name