共享应用程序日志:
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45"
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"
问题:找出splunk dashboard中超过500 ms的API总数?
请分享splunk查询以查找以下数据。
期望输出显示在两列表中:
Delayd API-Name: queryAPI
总出现次数:1
根据您的示例数据:
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45"2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"
应该这样做:
index=ndx sourcetype=srctp message=*
| rex field=message "(?<apiname>w+).+,(?<exectime>d+.d+).+:(?<pid>d+)$"
| where exectime>500
| stats values(exectime) as longtimes by apiname pid
我假设您已经提取了message字段,并从message字段中提取了apiname,exectime和pid
https://regex101.com/r/YBKtFc/1