英文:
Splunk query to map Exceptions to Endpoints
问题
Here's the translated part of your request:
给定一个示例的请求日志记录:
`timestamp=2023-06-29 00:58:56,830 thread=http-nio-8080-exec-1 loglevel=ERROR traceid=8ae88647f7d41729 spanid=8ae88647f7d41729 message="httpUser=123456, httpClientId=osfgs9fgsd, httpStatusCode=400, httpUrl=/path/to/resource, httpMethod=PUT, httpRequestDuration=70"`
这会导致应用程序中的异常,记录如下:
`timestamp=2023-06-29 00:58:56,829 thread=http-nio-8080-exec-1 loglevel=ERROR traceid=8ae88647f7d41729 spanid=8ae88647f7d41729 message="triggerSplunkAlert, exceptionId=23ghe2eg-cvs-dfs-9bfa-4knkjl, errorCode=IllegalStateException,... (shortened out for brevity)`
我想创建一个表格,类似于
| 时间 | http方法 | http网址 | 错误代码 |
| ---- | ---------- | ------- | --------- |
| 2023-06-29 00:58 | PUT | /path/to/resource | IllegalStateException|
| 2023-06-29 10:23 | POST | /path/to/whatever | NullPointerException|
但不知道如何将不同日志的信息放入同一表格中。
英文:
Given a sample incoming request log:
timestamp=2023-06-29 00:58:56,830 thread=http-nio-8080-exec-1 loglevel=ERROR traceid=8ae88647f7d41729 spanid=8ae88647f7d41729 message="httpUser=123456, httpClientId=osfgs9fgsd, httpStatusCode=400, httpUrl=/path/to/resource, httpMethod=PUT, httpRequestDuration=70"
which will cause an Exception in the application, logged as:
timestamp=2023-06-29 00:58:56,829 thread=http-nio-8080-exec-1 loglevel=ERROR traceid=8ae88647f7d41729 spanid=8ae88647f7d41729 message="triggerSplunkAlert, exceptionId=23ghe2eg-cvs-dfs-9bfa-4knkjl, errorCode=IllegalStateException,... (shortened out for brevity)
I want to create a Table such as
| time | httpMethod | httpUrl | errorCode |
|---|---|---|---|
| 2023-06-29 00:58 | PUT | /path/to/resource | IllegalStateException |
| 2023-06-29 10:23 | POST | /path/to/whatever | NullPointerException |
But got no clue of how I could put Information of different Logs within the same table
答案1
得分: 1
以下是翻译好的部分:
这个答案 假设 您的字段已经正确提取
如果没有,请首先完成提取(我们可以帮助您)
像这样的内容应该适合您的需求:
((index=ndxA sourcetype=srctpA) OR (index=ndxB sourcetype=srctpB)) thread=* spanid=* loglevel=*
| stats values(errorCode) as errorCode values(httpUrl) as httpUrl values(httpMethod) as httpMethod max(_time) as _time by thread spanid loglevel
| table _time httpMethod httpUrl errorCode
英文:
This answer presumes your fields are already properly extracted
If they are not, you'll need to do that first (and we can help you with it)
Something like this should do the trick for you:
((index=ndxA sourcetype=srctpA) OR (index=ndxB sourcetype=srctpB)) thread=* spanid=* loglevel=*
| stats values(errorCode) as errorCode values(httpUrl) as httpUrl values(httpMethod) as httpMethod max(_time) as _time by thread spanid loglevel
| table _time httpMethod httpUrl errorCode
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论