Splunk:搜索“a first log that got printed, but the second was not printed”

Splunk: search for “a first log that got printed, but the second was not printed”

请问一个关于 Splunk 查询的小问题。

请问有没有办法搜索“第一个日志打印出来,第二个没有打印出来”的语句?背景,我有一个非常简单的 Java 逻辑如下:

LOGGER.info("START/END compute something that might result in a bad exception for id START " + id);
invote_method_which_can_fail(id);
LOGGER.info("START/END compute something that might result in a bad exception for id END " + id);

结果类似于(来自一百万的片段):

        START/END compute something that might result in a bad exception for id START 12345
        START/END compute something that might result in a bad exception for id END 12345

        START/END compute something that might result in a bad exception for id START 88888

        START/END compute something that might result in a bad exception for id START 98765
        START/END compute something that might result in a bad exception for id END 98765

如您所见,我示例中的 id 88888 打印了开始语句,但没有打印结束语句,因为 java 代码中发生了一些错误。 (问题不在于如何使 java 代码可靠)

请问是否有Splunk查询可以找到我那些id?

我尝试了什么:到目前为止,我正在下载包含所有开始的搜索结果。然后,下载所有的搜索结果。一旦拥有两者,我就是 运行 另一个离线脚本,以便从第一个搜索结果中找到第二个搜索结果中不存在的所有 ID...

我不认为这是“明智的做法”,想知道是否有更智能的查询可以直接在 Splunk 中给我预期的结果。

谢谢

您可以尝试以下方法(使用 rexstats):

index=... "START/END compute something that might result in a bad exception for id"
| rex "(?<operation>(START|END))\s+(?<id>\d+)"
| stats count(eval(operation="START")) as start count(eval(operation="END")) as end by id
| where NOT start=end 

我没有测试过这个 SPL 代码