编写 splunk 查询以获取大于零的工作日数
Write splunk query to fetch the number of working days greater than zero
我正在尝试编写一个 splunk 查询,如果工作天数大于零,我需要在其中获取用户详细信息。例如我有以下数据
I, [2022-01-04T01:32:10.165065 #21461] INFO -- : fetched user details for user_id: 5612 with working_days: 0
I, [2021-01-04T01:32:10.165065 #21461] INFO -- : fetched user details for user_id: 5619 with working_days: 10
I, [2021-02-04T01:28:10.165065 #21461] INFO -- : fetched user details for user_id: 8901 with working_days: 0
I, [2021-03-04T01:18:10.165065 #21461] INFO -- : fetched user details for user_id: 306561 with working_days: 35
我需要连同 working_days 一起获取 user_id。唯一条件是工作天数大于0
fetched user details for user_id: 5619 with working_days: 10
fetched user details for user_id: 306561 with working_days: 35
下面的查询没有给出正确的结果。感谢任何帮助
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.*) with working_days:(?<working_days>.*)"
| table user_id,working_days
更新 1
我尝试了以下方法,但 none 有效
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where working_days > 0 | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where 'working_days' > 0 | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where working_days > '0' | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where "working_days" > '0' | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where not working_days == 0 | table user_id,working_days
使用 where 或 search 命令过滤结果。
"fetched user details for user_id: "
| rex field=_raw " user_id:(?<user_id>\d+) with working_days:(?<working_days>\d+)"
| search working_days > 0
| table user_id,working_days
我正在尝试编写一个 splunk 查询,如果工作天数大于零,我需要在其中获取用户详细信息。例如我有以下数据
I, [2022-01-04T01:32:10.165065 #21461] INFO -- : fetched user details for user_id: 5612 with working_days: 0
I, [2021-01-04T01:32:10.165065 #21461] INFO -- : fetched user details for user_id: 5619 with working_days: 10
I, [2021-02-04T01:28:10.165065 #21461] INFO -- : fetched user details for user_id: 8901 with working_days: 0
I, [2021-03-04T01:18:10.165065 #21461] INFO -- : fetched user details for user_id: 306561 with working_days: 35
我需要连同 working_days 一起获取 user_id。唯一条件是工作天数大于0
fetched user details for user_id: 5619 with working_days: 10
fetched user details for user_id: 306561 with working_days: 35
下面的查询没有给出正确的结果。感谢任何帮助
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.*) with working_days:(?<working_days>.*)"
| table user_id,working_days
更新 1
我尝试了以下方法,但 none 有效
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where working_days > 0 | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where 'working_days' > 0 | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where working_days > '0' | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where "working_days" > '0' | table user_id,working_days
"fetched user details for user_id: "
| rex field=_raw "fetched user details for user_id:(?<user_id>.\d+) with working_days:(?<working_days>.\d+)"
| where not working_days == 0 | table user_id,working_days
使用 where 或 search 命令过滤结果。
"fetched user details for user_id: "
| rex field=_raw " user_id:(?<user_id>\d+) with working_days:(?<working_days>\d+)"
| search working_days > 0
| table user_id,working_days