1( 我想计算 HTTP URL 的出现次数,网址调用的响应时间为 p(95(:响应代码为 200 或 500 的 https://example.net/v1/abc/xyz2(响应时间是时间戳黑白行6和3的差异。3(URL调用和状态代码都发生在线程30_Server_1的同一线程上,并且始终应该是下一次出现如果您看到事件 1 和事件 2 都发生在同一个线程中,但响应状态代码应始终是连续的。因此,splunk 搜索应返回状态为 200 的事件 1,其中状态为 350 的事件 2
以下是日志的摘录: 事件 1:
Line1) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) :Url in else part is:https://example.net/v1/abc/xyz
Line2) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line3) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v1/abc/xyz
Line4) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) Body: [{"itemID":"42650750083","uom":"EACH","toZipCode":"112173111","qty":1,"channel":"dotcom"}]
Line5) 2017-11-10 03:05:38,826 10606295 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line6) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status Code is:200
Line7) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line8) 2017-11-10 03:05:39,012 10606481 INFO (Thread-30_Server_1:) Exit call and 3
事件 2:
Line101) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) Enter call with 5 attributes
Line102) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line103) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) HTTP url : https://example.net/v2/mmm/nnn
Line104) 2017-11-10 03:05:39,364 10606833 INFO (Thread-30_Server_1:) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Line105) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line106) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Output from Server
Line107) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) {"status":350,"message":"Success","body":[{"shortageQty":0,"reservedQty":1,"partiallyReservedQty":0,"problemType":"SUCCESS"}}]}
Line108) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) ####################################################################
Line109) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status Code is:350
Line110) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) :Status message is:"Success"
Line111) 2017-11-10 03:05:39,442 10606911 INFO (Thread-30_Server_1:) Exit call
首先,为什么您的 Splunk 时间戳与日志时间戳不同?您需要将基本配置应用于 props.conf 以进行正确的标题盖章和换行。我会在做任何其他事情之前解决这个问题。
第二部分可以通过将 2 行合并为一个事件来解决,然后添加一个 where 子句以仅返回状态 = 200 和状态 = 350 的事件