查询以提取数据
Query to extract data
这是日志的片段:
127.0.0.1 - - [01/Dec/2020:00:00:11 -0500] "GET / url:"api/orderLaptop for customer id 123"
127.0.0.1 - - [01/Nov/2020:00:00:24 -0500] "GET / url:"api/orderLaptop for customer id 124"
127.0.0.1 - - [05/Nov/2020:00:00:11 -0500] "GET / url:"api/orderLaptop for customer id 333"
127.0.0.1 - - [01/Nov/2020:00:00:24 -0500] "GET / url:"api/orderCamera for customer id 124"
127.0.0.1 - - [05/Nov/2020:00:00:11 -0500] "GET / url:"api/orderCamera for customer id 333"
127.0.0.1 - - [10/Aug/2020:00:00:24 -0500] "GET / url:"api/orderLaptop for customer id 444"
127.0.0.1 - - [13/Aug/2020:00:00:24 -0500] "GET / url:"api/orderCamera for customer id 434"
是否可以在 Splunk 中生成一份报告,显示客户每月购买了多少产品,例如笔记本电脑和相机。
我的预期输出应如下所示:
Item
Month purchased
Total customers purchased
Laptop
August
1
Camera
August
1
Laptop
November
2
Camera
November
2
Laptop
December
1
Camera
December
0
非常感谢。
假设您已经拥有从日志事件中提取事件时间的正确配置,您可以将提取的 _time 中的月份格式化为 strftime()。
然后,我将使用 rex 和正则表达式捕获组提取其他字段。
然后使用 stats 按项目、month_purchased 和客户分组。
最后,用 fields 删除 customer 字段。
| eval month_purchased=strftime(_time, "%B")
| rex field=_raw "api/order(?<Item>\w+) for customer id (?<customer>\d+)"
| stats count as "Total customers purchased" by item month_purchased as "Month purchased" customer
| fields -customer
这是日志的片段:
127.0.0.1 - - [01/Dec/2020:00:00:11 -0500] "GET / url:"api/orderLaptop for customer id 123"
127.0.0.1 - - [01/Nov/2020:00:00:24 -0500] "GET / url:"api/orderLaptop for customer id 124"
127.0.0.1 - - [05/Nov/2020:00:00:11 -0500] "GET / url:"api/orderLaptop for customer id 333"
127.0.0.1 - - [01/Nov/2020:00:00:24 -0500] "GET / url:"api/orderCamera for customer id 124"
127.0.0.1 - - [05/Nov/2020:00:00:11 -0500] "GET / url:"api/orderCamera for customer id 333"
127.0.0.1 - - [10/Aug/2020:00:00:24 -0500] "GET / url:"api/orderLaptop for customer id 444"
127.0.0.1 - - [13/Aug/2020:00:00:24 -0500] "GET / url:"api/orderCamera for customer id 434"
是否可以在 Splunk 中生成一份报告,显示客户每月购买了多少产品,例如笔记本电脑和相机。
我的预期输出应如下所示:
| Item | Month purchased | Total customers purchased |
|---|---|---|
| Laptop | August | 1 |
| Camera | August | 1 |
| Laptop | November | 2 |
| Camera | November | 2 |
| Laptop | December | 1 |
| Camera | December | 0 |
非常感谢。
假设您已经拥有从日志事件中提取事件时间的正确配置,您可以将提取的 _time 中的月份格式化为 strftime()。
然后,我将使用 rex 和正则表达式捕获组提取其他字段。
然后使用 stats 按项目、month_purchased 和客户分组。
最后,用 fields 删除 customer 字段。
| eval month_purchased=strftime(_time, "%B")
| rex field=_raw "api/order(?<Item>\w+) for customer id (?<customer>\d+)"
| stats count as "Total customers purchased" by item month_purchased as "Month purchased" customer
| fields -customer