_sourceCategory=myService
| json field=_raw "log.Log" as log_message
| json field=_raw "log.Barcode" as log_Barcode
| json field=_raw "log.MachineId" as machine_id
| where log_message contains "successfully sorted"
| count by machine_id
此查询将为我提供每台机器ID的成功计数。
我想要的是获得过去24小时内的所有消息,并获得每小时的平均成功率。
所以没有
| 机器ID | 成功率计数TIME | |
|---|---|---|
| 12345 | 2400 | 24H |
在使用if语句应用时间片之前,您必须标记成功与失败。然后在字段上应用时间片和聚合并计算比率。类似于:
_sourceCategory=myService
| json field=_raw "log.Log" as log_message
| json field=_raw "log.Barcode" as log_Barcode
| json field=_raw "log.MachineId" as machine_id
| if (log_message matches "*successfully sorted*", 1, 0) as success
| timeslice 1h
| count as total_records, sum(success) as successes by _timeslice
| successes / total_records * 100 as success_rate_pct