我有一个日志,其有效负载如下:
"Stats":[ {
errors: 0
type: "Disc"
success: 878
},
{
errors: 21
type: "cronJob"
success: 25
},
{
errors: 0
type: "File"
success: 8787
},
{
errors: 15
type: "Unknown"
success: 0
}]
我需要摆脱";未知";键入对象并获得剩余值的总和
我可以得到所有错误的总和,但对于类型为Unknown的事件,我不确定如何做到这一点。你能帮忙吗?
<search>|rename Stats{}.type= as type|eventstats sum(errors) as ErrorCount
这是我当前的seach,不排除未知类型。如何合并排除未知计数的逻辑
<search>|rename Stats{}.type= as type | where type != "Unknown" | eventstats sum(errors) as ErrorCount
JSON负载被视为多值字段
所以你需要先mvexpand它,然后再过滤掉你想忽略的
试试这样的东西:
index=ndx sourcetype=srctp Stats{}.type=*
| rename Stats{}.type as type
| mvexpand type
| search NOT type="Unknown"
| ...