我有一个名为http_logs的Splunk索引,包含以下字段:
- _time
- status_code
- status_text 请求者
我试图使用这些数据创建一个表,看起来像这样:
| 请求者 | 今天昨天 | 最近七天服务1 | 100 (2) | 300 (4) | 2000 (7) | 服务2
|---|---|---|---|
| 120 (3) | 275 (3) | 2400 (9) |
Splunk表通常在每个单元格中有一个值。要在单元格中放入多个值,我们通常将这些值连接成一个值。
为了获得不同时间段的计数,我们通常运行单独的搜索并组合结果。
注意在stats命令中使用sum而不是count。这是因为eval函数总是返回一个值(0或1),计数它们将给出结果的总数,而不是匹配条件的事件数。
```Get today's events```
index=http_logs earliest=@d
| eval success=if(status_code>=200 status_code<=299, 1, 0)
```Count successes and failures```
| stats sum(eval(success=1)) as today_success, sum(eval(success=0)) as today_fail by requester
```Repeat for yesterday's events```
| append [ search index=http_logs earliest=-1d@d latest=@d
| eval success=if(status_code>=200 status_code<=299, 1, 0)
| stats sum(eval(success=1)) as yesterday_success, sum(eval(success=0)) as yesterday_fail by requester ]
```Repeat for the last 7 days' events```
| append [ search index=http_logs earliest=-7d@d latest=now
| eval success=if(status_code>=200 status_code<=299, 1, 0)
| stats sum(eval(success=1)) as sevenday_success, sum(eval(success=0)) as sevenday_fail by requester ]
```Put the results together```
| stats values(*) as * by requester
```Build the display values```
| eval Today = today_success . " (" . today_fail . ")"
| eval Yesterday = yesterday_success . " (" . yesterday_fail . ")"
| eval "Last Seven Days" = sevenday_success . " (" . sevenday_fail . ")"
| rename requester as Requester
```Display the results```
| table Requester Today Yesterday "Last Seven Days"