英文:
Splunk filter one search by another
问题
我有两个搜索会返回订单号码:
搜索1
index=main "Failed insert" | table orderNumber
// 返回一个小列表
搜索2
index=main "Successful insert" | table orderNumber
// 返回一个巨大的列表
我想要一个包含那些之前没有"Successful insert"事件的"Failed insert"订单号码的列表。我该如何使用第二个搜索的结果来过滤第一个搜索的结果?
我尝试过:
index=main "Failed insert"
NOT [
index=main "Successful insert" | table orderNumber]
| dedup orderNumber
| table orderNumber
...但它返回了那些已经有"Successful insert"事件的订单号码。
英文:
I have two searches that will return orderNumbers
search1
index=main "Failed insert" | table orderNumber
//returns small list
search2
index=main "Successful insert" | table orderNumber
//returns huge list
I want a list of "Failed insert" orderNumbers that have NOT had a "Successful insert" previously. How can I use the results of the second search to filter the results of the first search?
I tried:
index=main "Failed insert"
NOT [
index=main "Successful insert" | table orderNumber]
| dedup orderNumber
| table orderNumber
...but it returned orderNumbers that did have "Successful insert" events.
答案1
得分: 1
我相信这是你要找的:
index=main sourcetype=srctp orderNumber=* "failed insert" NOT
[search index=main sourcetype=srctp orderNumber=* "successful insert"
| stats count by orderNumber
| fields - count ]
| stats count by orderNumber
| fields - count
首先,stats 比 dedup 效率高得多。
其次,只要你的“successful insert”搜索的项目数不超过10,000,它应该可以完成。
如果超过10,000,你可能需要像这样做:
index=main sourcetype=srctp orderNumber=* ("failed insert" OR "successful insert")
| rex field=_raw "(?<insert>\w+ )insert"
| stats values(insert) as inserts by orderNumber
| search inserts="*failed*"
| where mvcount(inserts)<2
这个搜索应该会提取插入的类型(“failed”或“successful”)到一个名为 insert 的新字段中。
然后,对每个 orderNumber 列出所有插入类型。
接着,确保我们只查看具有“failed”插入的 orderNumber 条目。
然后检查确保 values() 字段中只有一个条目(即没有“successful”条目)。
英文:
I believe this is what you're looking for:
index=main sourcetype=srctp orderNumber=* "failed insert" NOT
[search index=main sourcetype=srctp orderNumber=* "successful insert"
| stats count by orderNumber
| fields - count ]
| stats count by orderNumber
| fields - count
First, stats is going to be a lot more performant than dedup
Second, so long as your "successful insert" search is 10k items or fewer, it should complete
If it's longer than 10k items, you may need to do something like this:
index=main sourcetype=srctp orderNumber=* ("failed insert" OR "successful insert")
| rex field=_raw "(?<insert>\w+ )insert"
| stats values(insert) as inserts by orderNumber
| search inserts="*failed*"
| where mvcount(inserts)<2
What this should do is extract the type of insert ("failed" or "successful") into a new field named insert
Then stats values() all of the insert types each orderNumber had
Then ensure we're only looking at orderNumber entries that have a "failed" insert
Then check to make sure there is only one entry in the values()'d field (ie there is no "successful" entry present
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论