按 "release" 和 "time" 分组的 Splunk 图形数据

Splunk graph data grouped by "release" and "time"

我需要创建一个图表,在 x 轴上显示日期,在 y 轴上按“发布”分组显示“successfully_processed”和“failed_to_process”。

这是我的例子:

|makeresults
| eval raw="100, 2, typeA, 2022-05-25T19:53:51.000-07:00|110, 3, typeA, 2022-05-26T19:53:51.000-08:00|150, 1, typeB, 2022-05-25T19:53:51.000-08:00"
| makemv raw delim="::"
| mvexpand raw
| fields - _time
| streamstats count AS _serial
| makemv raw delim="|"
| mvexpand raw
| rex field=raw "^(?<success>[^,]+),(?<fail>[^,]+),(?<release>[^,]+),(?<_time>[^,]+)$"
| fields - raw
| stats values(success) as Successfully_processed  values(fail) as Failed_to_process by release

当我按版本对它们进行分组时,我也不知道如何获取日期。我需要每天按“发布”分组显示每个日志“successfully_processed”和“failed_to_process”。

有人可以帮忙吗?谢谢

尝试 chart 命令。

| makeresults
| eval raw="100, 2, typeA, 2022-05-25T19:53:51.000-07:00|110, 3, typeA, 2022-05-26T19:53:51.000-08:00|150, 1, typeB, 2022-05-25T19:53:51.000-08:00"
| makemv raw delim="::"
| mvexpand raw
| streamstats count AS _serial
| makemv raw delim="|"
| mvexpand raw
| rex field=raw "^(?<success>[^,]+),(?<failure>[^,]+),(?<release>[^,]+),(?<_time>[^,]+)$"
| fields - raw
| chart values(success) as success, values(failure) as failure over _time by release