英文:

Extracting a count from raw splunk data by id

问题

我正在尝试从Splunk中保留的原始数据中获取事务信息的计数。有3-5个事务发生。

其中一个具有原始数据，其中提到：pin匹配id 12345678-1234-1234-abcd-12345678abcd 或pin不匹配id等。

我试图计算pin匹配在180秒的事务时间窗口内发生的次数。

我尝试做一些类似以下的事情：
|eval raw=_raw |search index=transa
|eval pinc= if((raw like "pin匹配"),1,0) |stats count(pinc) as Pincount by ID

我遇到的问题是它在无论我查看这些事务的哪个时间时都会累计计数。有没有一种方法可以将它与消息中的ID关联起来，或者在该时间窗口内计算每次发生的次数？

谢谢！

英文:

I am trying to get a count from transactional information that is retained within raw data in splunk. I have 3-5 transactions that occur.

One has raw data stating: pin match for id 12345678-1234-1234-abcd-12345678abcd or pin mismatched for id etc.

I'm trying to count the number of times the pin match occurs within the transaction time window of 180sec.

I was trying to do something like:
|eval raw=_raw |search index=transa
|eval pinc= if((raw like "%pin match%"),1,0) |stats count(pinc) as Pincount by ID

The issue I'm having is it is counting cumulatively over whatever time I am looking at those transactions. Is there a way to attach it to the ID that is within the message or have it count every one that occurs within that time window?

Thanks!

答案1

得分: 1

假设已经提取了 PIN 状态和 ID：

index=ndx sourcetype=srctp "pin" "match" OR "mismatched"
| rex field=_raw "pin (?<pin_status>\w+)"
| rex field=_raw "id (?<id>\S+)"
| eval status_time=pin_status+"|"+_time
| stats earliest(status_time) as beginning latest(status_time) as ending by id
| eval beginning=split(beginning,"|"), ending=split(ending,"|")
| eval beginning=mvindex(beginning,-1), ending=mvindex(ending,-1)
| table id beginning ending
| sort 0 id
| eval beginning=strftime(beginning,"%c"), ending=strftime(ending,"%c")

提取状态（"match" 或 "mismatched"）和 ID 后，将个别事件的 _time 追加到状态的末尾 - 我们将在 stats 之后再将该值提取出来

使用 stats，按 id 找到 status_time 的最早和最晚条目（在前一行刚刚创建的字段），将它们保存到新字段 beginning 和 ending 中

接下来，对 beginning 和 ending 进行 split()，以分隔状态和时间戳之间的管道，创建一个 多值字段

然后将多值字段的最后一项（我们知道它是时间戳）赋值给自身（因为我们知道 status_time 的最早条目应始终为 "match"，而最晚条目应始终为 "mismatched"）

最后，使用 table 显示 ID 和时间戳，按 ID 进行 排序，并将时间戳格式化为可读的形式（strftime 接受多种 参数，%c 只是其中一个快捷方式）

<details>
<summary>英文:</summary>

Presuming the pin status and ID have not been extracted:

index=ndx sourcetype=srctp "pin" "match" OR "mismatched"
| rex field=_raw "pin (?<pin_status>\w+)"
| rex field=_raw "id (?<id>\S+)"
| eval status_time=pin_status+"|"+_time
| stats earliest(status_time) as beginning latest(status_time) as ending by id
| eval beginning=split(beginning,"|"), ending=split(ending,"|")
| eval begining=mvindex(beginning,-1), ending=mvindex(ending,-1)
| table id beginning ending
| sort 0 id
| eval beginning=strftime(beginning,"%c"), ending=strftime(ending,"%c")

After extracting the status ("match" or "mismatched") and the id, append the individual event's `_time` to the end of the status - we'll pull that value back out after `stats`ing

Using [`stats`][1], find the earliest and latest `status_time` entries (fields just created on the previous line) by `id`, saving them into new fields `beginning` and `ending`

Next, [`split()`][2] `beginning` and `ending` on the pipe we added to separate the status from the timestamp into a [multivalue field][3]

Then assign the last item from the multivalue field (which we know is the timestamp) into itself (because we know that the earliest entry for a `status_time` should always be "match", and the latest entry for a `status_time` should always be "mismatched")

Lastly, [`table`][4] the id and time stamps, [sort][5] by id, and format the timestamp into something human readable ([`strftime`][6] takes many [arguments][7], `%c` just happens to be quick)


  [1]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/stats
  [2]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/eval
  [3]: https://docs.splunk.com/Splexicon:Multivaluefield
  [4]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/table
  [5]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/sort
  [6]: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29
  [7]: https://strftime.org

</details>