提问人:H22 提问时间:10/31/2023 最后编辑:H22 更新时间:11/2/2023 访问量:63
Splunk - 按不同字段分组,其中包含另一个字段的统计数据
Splunk - Grouping by distinct field with stats of another field
问:
我有以下 Splunk 搜索,从我的数据集中收集不同的状态:
some type of search | eval Status = (REJECT_REASON) | bucket _time span=day | stats count by Status
下面是我的数据集的外观示例:
CorrelationId Reject_Reason DATE_TIME
12345679 Accepted 20231030 14:00:00
12345679 Accepted 20231030 14:00:00
12345679 Accepted 20231030 14:00:00
12345679 Sent 20231030 00:00:00
12345679 Sent 20231030 00:00:00
12345679 Sent 20231030 00:00:00
99399394 Rejected 20231030 00:00:00
99399394 Rejected 20231030 00:00:00
88393933 Accepted 20231030 14:00:00
88393933 Sent 20231030 00:00:00
33454545 Rejected 20231030 00:00:00
我只想获取不同 correlationId 的状态,这意味着对于示例数据集,我只会返回 4 个 correlationId 的计数和最新日期的状态。
所需结果示例:
Status Count
Accepted 2
Rejected 2
我尝试使用“dedup correlationId”,但是当我将其添加到搜索中时,它没有返回任何结果。
答:
0赞
PM 77-1
11/2/2023
#1
根据最新(截至 11 月 1 日)的要求,以下是我的查询:
|makeresults count=11 | streamstats count
| eval CorrelationID=case(count >=1 and count<=6, 12345679, count in (7,8), 99399394, count in (9,10), 88393933, count=11, 33454545),
Reject_Reason=case(count in (1,2,3) OR count=9, "Accepted", count in (4,5,6) or count=10, "Sent", count in (7,8) or count=11, "Rejected"),
DATE_TIME=case(count in (1,2,3) or count=9, "20231030 14:00:00", true(), "20231030 00:00:00" )
| fields - _time, count
``` The above is test data setup ```
| eval Status=Reject_Reason
| eventstats max(DATE_TIME) as mx by CorrelationID
| where DATE_TIME=mx
| dedup CorrelationID, Status
| stats dc(CorrelationID) as "Count" by Status
评论
stats dc(CorrelationId) as count by Status