我是Splunk的新人;我有一个这样的查询:
org_name="Something" app_name=MY_APP status_code=401 requesturl=/api/hi
,返回如下结果:
app_name: MY_APP
org_name: something
space_name: space
job: router
message_type: OUT
msg: my.domain.com - [2021-03-08T15:49:54.049006875Z] "POST /api/hiHTTP/1.1" 401 347 147 "-" "insomnia/7.0.3" "10.158.192.20:46006" "10.158.192.158:61002" x_forwarded_for:"208.127.201.110, 2.20.143.172, 10.158.192.20" x_forwarded_proto:"https" vcap_request_id:"539a9655-3198-4604-775c-306a750ca7e5" response_time:0.008447 gorouter_time:0.000489 app_id:"9ecffb96-0b8b-4a7a-be74-484ed6b6f589" app_index:"4" x_cf_routererror:"-" x_mc_correlation_id:"0.ac8f1402.1615218593.dafa73c" x_correlation_id:"-" correlation_id:"0.ac8f1402.1615218593.dafa73c" x_b3_traceid:"0ca5ab5513f3cb99" x_b3_spanid:"0ca5ab5513f3cb99" x_b3_parentspanid:"-" b3:"0ca5ab5513f3cb99-0ca5ab5513f3cb99"
origin: gorouter
source_instance: 7
source_type: RTR
timestamp: 1615218594057716500
我需要搜索所有包含
的条目correlation_id:"0. ac8f1402.1615218593.dafa73c"
Key可以是correlation_id, XC_correlation_id, MC-REAL_correlation_id和其他…
有几种方法可以做到这一点,使用哪种方法取决于您可以使用字段和键名的具体程度。尝试以下命令之一:
| searchmatch("s.*correlation_id:"0.ac8f1402.1615218593.dafa73c"")
| where match(msg, "s.*correlation_id:"0.ac8f1402.1615218593.dafa73c"")
| regex "s.*correlation_id:"0.ac8f1402.1615218593.dafa73c"")
| regex field=msg "s.*correlation_id:"0.ac8f1402.1615218593.dafa73c"")