根据一个或多个日志行识别状态
Identify state depending on one or more log lines
我有文件导入的日志
01-01-21 10:00:00 File Read , filename_a
01-01-21 10:00:01 File failed , filename_a
01-01-21 10:00:01 File Read , filename_b
01-01-21 10:00:02 File failed , filename_a
01-01-21 10:00:03 File succeed, filename_a
01-01-21 10:00:04 File failed , filename_b
如何检测文件“a”已成功导入,而文件“b”处于失败模式?
我试过transaction但没用。
提取状态和文件名字段后,select 每个文件的最新事件。那会告诉你当前的状态。
index=foo
| rex "File (?<status>\w+)\s*, (?<filename>.*)
| dedup filename
我有文件导入的日志
01-01-21 10:00:00 File Read , filename_a
01-01-21 10:00:01 File failed , filename_a
01-01-21 10:00:01 File Read , filename_b
01-01-21 10:00:02 File failed , filename_a
01-01-21 10:00:03 File succeed, filename_a
01-01-21 10:00:04 File failed , filename_b
如何检测文件“a”已成功导入,而文件“b”处于失败模式?
我试过transaction但没用。
提取状态和文件名字段后,select 每个文件的最新事件。那会告诉你当前的状态。
index=foo
| rex "File (?<status>\w+)\s*, (?<filename>.*)
| dedup filename