英文:
List unique values from splunk events
问题
以下是翻译的内容:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
对于这个Splunk查询,我得到的事件如下所示:
[123-456-789-098] | 2023-07-26 12:05:31:245 [application-1] INFO com.example.event.SampleClasss - status code :: 500
[321-564-986-197] | 2023-07-26 13:04:38:287 [application-1] INFO com.example.event.SampleClasss - status code :: 503
[655-256-278-865] | 2023-07-26 13:05:42:245 [application-1] INFO com.example.event.SampleClasss - status code :: 503
[457-234-856-528] | 2023-07-26 14:08:23:123[application-1] INFO com.example.event.SampleClasss - status code :: 504
[457-234-856-528] | 2023-07-26 14:08:24:123[application-1] INFO com.example.event.SampleClasss - status code :: 504
在上述事件中,最后一个是重复的transactionId,但由于时间戳有1秒的差异,所以显示出来。
我需要显示唯一的Id和相应的状态码,如下所示。
| transactioId | Status-Code |
| -------- | -------------- |
| 123-456-789-098 | 500 |
| 321-564-986-197 | 503 |
| 655-256-278-865 | 503 |
| 457-234-856-528 | 504 |
英文:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
For this splunk query I am getting events like below
[123-456-789-098] | 2023-07-26 12:05:31:245 [application-1] INFO com.example.event.SampleClasss - status code :: 500
[321-564-986-197] | 2023-07-26 13:04:38:287 [application-1] INFO com.example.event.SampleClasss - status code :: 503
[655-256-278-865] | 2023-07-26 13:05:42:245 [application-1] INFO com.example.event.SampleClasss - status code :: 503
[457-234-856-528] | 2023-07-26 14:08:23:123[application-1] INFO com.example.event.SampleClasss - status code :: 504
[457-234-856-528] | 2023-07-26 14:08:24:123[application-1] INFO com.example.event.SampleClasss - status code :: 504
In the above events last one is duplicate transactionId but displayed because there is difference in the timestamp i.e 1 second
I need to display unique Ids with corresponding status codes like below.
| transactioId | Status-Code |
|---|---|
| 123-456-789-098 | 500 |
| 321-564-986-197 | 503 |
| 655-256-278-865 | 503 |
| 457-234-856-528 | 504 |
答案1
得分: 1
stats在这里会对你有帮助:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats latest(status) as Status-Code by transactionId
如果字段transactionId和status尚未提取出来,你需要提取它们。
在搜索时,可以使用rex来实现:
| rex field=_raw "code\D+(?<status>\d+)"
| rex field=_raw "^\[(?<transactionId>[^\]]+)"
regex101验证:https://regex101.com/r/JDgzya/1 && https://regex101.com/r/O5qTJ9/1
如果你想查看每个transactionId的所有状态,可以使用以下方法:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats count by transactionId status
| rename status as Status-Code
并且包括时间戳:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats count by transactionId status _time
| rename status as Status-Code
英文:
stats will be your friend here:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats latest(status) as Status-Code by transactionId
If the fields transactionId and status are not yet extracted, you'll need to pull them out
A way to do this at search time is with rex:
| rex field=_raw "code\D+(?<status>\d+)"
| rex field=_raw "^\[(?<transactionId>[^\]]+)"
regex101 verifications: https://regex101.com/r/JDgzya/1 && https://regex101.com/r/O5qTJ9/1
If you want to see all statuses for each transactionId, do this instead:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats count by transactionId status
| rename status as Status-Code
and with timestamps:
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| stats count by transactionId status _time
| rename status as Status-Code
答案2
得分: 0
“显示的原因是时间戳之间存在1秒的差异”这个说法是错误的。这些事件之所以显示出来,是因为它们被发送到了Splunk,并且查询中没有任何内容将它们移除。
要只看到唯一的事件,可以使用dedup命令来去除重复项。
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| dedup transactionId
这里假设transactionId字段是自动提取的。
英文:
The assertion "displayed because there is difference in the timestamp i.e 1 second" is incorrect. The events are displayed because they were sent to Splunk and nothing in the query removes them.
To see only unique events, use the dedup command to remove duplicates.
index=myIndex container_name="abc-mno-pqr" "status code :: 50*"
| dedup transactionId
This assumes the transactionId field is extracted automatically.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论