Splunk 查询 - 使用今天的日期时出现意外故障
Splunk Query - unexpected failure when using todays date
我有一个包含一些条件评估的查询,当我 运行 昨天它运行时没有错误。但是当我 运行 它为今天的约会时,我得到了一个意外的字符错误。
这个有效,昨天查询
index="some_index" sourcetype="a:b" earliest=-1d@d+16h latest=-1d@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
[search index="another_index" earliest=-1d@d+16h latest=-1d@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'"
| rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
| return $STUFF ]
,"Not Fininshed")
将日期更改为今天,第一部分有效
index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
在第二次搜索中将日期更改为今天,这不起作用
index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
[search index="another_index" earliest=@d+16h latest=@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'"
| rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
| return $STUFF ]
,"Not Fininshed")
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"Not Fininshed")'.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
当您 运行 子搜索(OP 中的“第二次搜索”)本身 return 在 [=12= 的 then 子句中有意义的事情] 功能?如果不是,那么您将收到该错误消息,您将需要修改子搜索以生成有效输出。
一种方法是使用 appendpipe。
index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
[search index="another_index" earliest=@d+16h latest=@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'"
| rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
| appendpipe [ stats count | eval STUFF="something that works" | where count=0 | fields - count ]
| return $STUFF ]
,"Not Fininshed")
我有一个包含一些条件评估的查询,当我 运行 昨天它运行时没有错误。但是当我 运行 它为今天的约会时,我得到了一个意外的字符错误。
这个有效,昨天查询
index="some_index" sourcetype="a:b" earliest=-1d@d+16h latest=-1d@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
[search index="another_index" earliest=-1d@d+16h latest=-1d@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'"
| rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
| return $STUFF ]
,"Not Fininshed")
将日期更改为今天,第一部分有效
index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
在第二次搜索中将日期更改为今天,这不起作用
index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
[search index="another_index" earliest=@d+16h latest=@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'"
| rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
| return $STUFF ]
,"Not Fininshed")
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"Not Fininshed")'. The search job has failed due to an error. You may be able view the job in the Job Inspector.
当您 运行 子搜索(OP 中的“第二次搜索”)本身 return 在 [=12= 的 then 子句中有意义的事情] 功能?如果不是,那么您将收到该错误消息,您将需要修改子搜索以生成有效输出。
一种方法是使用 appendpipe。
index="some_index" sourcetype="a:b" earliest=@d+16h latest=@d+17h app_name="SOME-BATCH-*" "Job completed at"
| stats count as batchJobCompleted
| eval dfeFailures=if( batchJobCompleted > 0 ,
[search index="another_index" earliest=@d+16h latest=@d+17h sourcetype="c:/d" "Summary" AND "RUN_TYPE: 'FOO'"
| rex field=_raw "STUFF:\s+(?<STUFF>\w+)"
| appendpipe [ stats count | eval STUFF="something that works" | where count=0 | fields - count ]
| return $STUFF ]
,"Not Fininshed")