Splunk 查询 - 按 splunk 中的字段对事件进行分组
Splunk Query - group events by fields in splunk
我在 Splunk 中有一些日志事件,如下所示:
Payment request to app_name_foo for brand: B1, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring
Payment request to app_name_foo for brand: B1, app_id: A2, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A3, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A4, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
我正在尝试 table 如下所示:
BRAND | CREDITCARD | DIRECTDEBIT | GPAY
B1 | 1 | 0 | 1
B2 | 1 | 0 | 2
到目前为止我尝试过的:
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count over brand by method
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count over brand by "payment method"
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count(eval(method==CREDITCARD)) AS CREDITCARD count(eval(method==DIRECTDEBIT)) AS DIRECTDEBIT count(eval(method==GPAY )) AS GPAY by brand
很遗憾,Splunk 似乎无法识别支付方式 或支付方式。上面的查询(以及我在互联网上找到的更多查询)没有产生任何结果。
如果我用 app_id 替换 method 或 payment method 那么我得到一些结果。
我错过了什么?请帮忙。
在使用字段之前,必须首先提取它们。有多种方法可以做到这一点,其中一种方法是使用 extract 命令。
index = app_name_foo sourcetype = app "Payment request to myApp for brand"
| extract kvdelim=":" pairdelim=","
| rename Payment_request_to_app_name_foo_for_brand as brand
| chart count over brand by payment_method
您会注意到 extract 可能不会像预期的那样抓取字段名称。此外,空格被替换为下划线。
现在我们有了要处理的字段,让我们谈谈输出。
请告诉我们更多有关 CREDITCARD、DIRECTDEBIT 和 GPAY 列是如何派生的信息。 B1 如何仅从 2 个事件中获得值为 5 的 CREDITCARD? DIRECTDEBIT 从何而来? GPAY如何从只有3个事件加起来达到5个?
我在 Splunk 中有一些日志事件,如下所示:
Payment request to app_name_foo for brand: B1, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring
Payment request to app_name_foo for brand: B1, app_id: A2, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A3, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A4, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
我正在尝试 table 如下所示:
BRAND | CREDITCARD | DIRECTDEBIT | GPAY
B1 | 1 | 0 | 1
B2 | 1 | 0 | 2
到目前为止我尝试过的:
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count over brand by method
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count over brand by "payment method"
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count(eval(method==CREDITCARD)) AS CREDITCARD count(eval(method==DIRECTDEBIT)) AS DIRECTDEBIT count(eval(method==GPAY )) AS GPAY by brand
很遗憾,Splunk 似乎无法识别支付方式 或支付方式。上面的查询(以及我在互联网上找到的更多查询)没有产生任何结果。
如果我用 app_id 替换 method 或 payment method 那么我得到一些结果。
我错过了什么?请帮忙。
在使用字段之前,必须首先提取它们。有多种方法可以做到这一点,其中一种方法是使用 extract 命令。
index = app_name_foo sourcetype = app "Payment request to myApp for brand"
| extract kvdelim=":" pairdelim=","
| rename Payment_request_to_app_name_foo_for_brand as brand
| chart count over brand by payment_method
您会注意到 extract 可能不会像预期的那样抓取字段名称。此外,空格被替换为下划线。
现在我们有了要处理的字段,让我们谈谈输出。 请告诉我们更多有关 CREDITCARD、DIRECTDEBIT 和 GPAY 列是如何派生的信息。 B1 如何仅从 2 个事件中获得值为 5 的 CREDITCARD? DIRECTDEBIT 从何而来? GPAY如何从只有3个事件加起来达到5个?