如何解决Splunk:合并多行中的字段
上下文
说我的日志结构是这样的
TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers} # I want this
TID: http-incoming-972453 >> Accept: application/json {org.apache.synapse.transport.http.headers}
TID: http-incoming-972453 >> Host: some.organization.com {org.apache.synapse.transport.http.headers}
.....
TID: http-outgoing-8816 >> POST /oauth2/token HTTP/1.1 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Content-Type: application/x-www-form-urlencoded {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Transfer-Encoding: chunked {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Host: some.other.organization.intra:9444 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Connection: Keep-Alive {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> User-Agent: Synapse-PT-HttpComponents-NIO {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
.....
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers} # with this
TID: http-incoming-972453 << X-Frame-Options: DENY {org.apache.synapse.transport.http.headers}
.....
我已经调整了props.conf,以便
TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers}
最终被以下字段编入索引
- httpRequestId :
972453 - ressourceName :
/token
和
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
使用
- httpRequestId :
972453 - httpStatus :
200
我正在寻找一种计数请求的方法,该请求由 httpStatus 和 ressourceName 使用 httpRequestId 作为联接
进行汇总尝试
由于有关ressourceName和httpStatus的信息发生在不同的事件上,因此我想到使用 join 。这没有任何结果
index=* role="gw" httpAction="incoming" | join type=outer httpRequestId [fields ressourceName,httpStatus] | stats count by ressourceName,httpStatus
在阅读Splunk文档时,我还遇到了selfjoin,其结果仅是部分
index=* role="gw" httpAction="incoming" | selfjoin httpRequestId | stats count by ressourceName,httpStatus
如何合并多个事件中的字段以得到类似
的结果/somewhere 200 30
/somewhere 403 1
/somewhere/else 200 15
解决方法
您可能想看看使用transaction命令。
index=* role="gw" httpAction="incoming" | transaction httpRequestId | stars count by ressourceName,httpStatus
根据要分析的数据量和时间范围,交易或联接就足够了。
,您对join的使用不正确。子搜索必须是有效的搜索,以“ search”或“ |”开头。
尝试使用stats命令。
index=foo role=gw httpAction="Incoming
| stats values(*) as * by httpRequestId