在 splunk 中计数和求和
Count and sum in splunk
我有这组数据:
name fruit location
mary apple east
ben pear east
peter pear east
ben apple north
ben mango north
peter mango north
mary orange north
alice pear north
janet pear north
janet mango west
janet mango west
peter mango west
janet pear west
我想获取字段:
name, 发往name的水果数量, 发往name位置的水果数量
我试过了:
|stats sum(count) as scount_by_name by name
|stats count as count_by_namelocation (......filled with other formulas......) by name location
|Table count_by_namelocation scount_by_name
但是它不起作用,scount_by_name 是空的,正确的语法是什么?
这里有几个问题。
第一个 stats
命令试图对 count
字段求和,但该字段不存在。这就是 scount_by_name 为空的原因。
然而,更重要的是,stats
是一个转换命令。这意味着它的输出与其输入有很大不同。具体来说,传递给第二个 stats
的唯一字段是名称和 scount_by_name,因此第二个 stats
看不到位置字段,因此它不能计算任何内容。
连续 stats
命令的一个解决方法是使用 streamstats
或 eventstats
,它们不是转换命令。
这个 运行-anywhere 示例应该说明。
| makeresults
| eval _raw="name fruit location
mary apple east
ben pear east
peter pear east
ben apple north
ben mango north
peter mango north
mary orange north
alice pear north
janet pear north
janet mango west
janet mango west
peter mango west
janet pear west"
| multikv forceheader=1
| streamstats count as scount_by_name by name
| streamstats count as count_by_namelocation by name location
| table count_by_namelocation scount_by_name
我有这组数据:
name fruit location
mary apple east
ben pear east
peter pear east
ben apple north
ben mango north
peter mango north
mary orange north
alice pear north
janet pear north
janet mango west
janet mango west
peter mango west
janet pear west
我想获取字段: name, 发往name的水果数量, 发往name位置的水果数量
我试过了:
|stats sum(count) as scount_by_name by name
|stats count as count_by_namelocation (......filled with other formulas......) by name location
|Table count_by_namelocation scount_by_name
但是它不起作用,scount_by_name 是空的,正确的语法是什么?
这里有几个问题。
第一个 stats
命令试图对 count
字段求和,但该字段不存在。这就是 scount_by_name 为空的原因。
然而,更重要的是,stats
是一个转换命令。这意味着它的输出与其输入有很大不同。具体来说,传递给第二个 stats
的唯一字段是名称和 scount_by_name,因此第二个 stats
看不到位置字段,因此它不能计算任何内容。
连续 stats
命令的一个解决方法是使用 streamstats
或 eventstats
,它们不是转换命令。
这个 运行-anywhere 示例应该说明。
| makeresults
| eval _raw="name fruit location
mary apple east
ben pear east
peter pear east
ben apple north
ben mango north
peter mango north
mary orange north
alice pear north
janet pear north
janet mango west
janet mango west
peter mango west
janet pear west"
| multikv forceheader=1
| streamstats count as scount_by_name by name
| streamstats count as count_by_namelocation by name location
| table count_by_namelocation scount_by_name