我有一个显示延迟数据的表,现在我想编写一个警报查询,该警报将在请求(方法+ uri)的中位数高于3000毫秒(3秒)时发出警报
我用于该延迟表的查询是:
index=ms-app environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
min(stats.overallResponseTimeInMilliSeconds) as "Min",
avg(stats.overallResponseTimeInMilliSeconds) as avg_latency,
max(stats.overallResponseTimeInMilliSeconds) as "Max",
median(stats.overallResponseTimeInMilliSeconds) as "Median",
perc95(stats.overallResponseTimeInMilliSeconds) as "95th %",
count(request) as "# req total", count(eval('stats.overallResponseTimeInMilliSeconds' > 3000)) as "#>3s",
count(eval('stats.overallResponseTimeInMilliSeconds' > 5000)) as "#>5s",
count(eval('stats.overallResponseTimeInMilliSeconds' > 10000)) as "#>10s" by request
| eval "Avg" = round(avg_latency, 0)
| table request, "Median"
这将产生一个基于方法+ uri的表格,显示中位潜伏期 例如:
现在,我正在尝试创建一个查询,该查询将仅显示中位数延迟高于3s的+ uri方法,以便我可以创建警报,以警告splunk哪些端点具有较高的延迟 这就是我尝试过的:
index=ms-app environment=prod AND "*"
| eval uri=replace(mvindex(split('request.uri', "?"), 0), "\/\d+[-+\w]+", "/:n"), methodOverride='request.headers.X-HTTP-Method-Override'
| eval methodOverrideStr = if(isnull(methodOverride) OR methodOverride=="null", "", "(" + methodOverride + ")")
| eval request = 'request.method' + methodOverrideStr + " " + uri + " " + 'response.httpStatusCode'
| stats
median(stats.overallResponseTimeInMilliSeconds) as "Median"
| table request, "Median" > 3000
应显示以下内容:
但是,它只显示与第一个查询相同的结果
答案 0 :(得分:2)
使用where命令根据字段值过滤事件。
... | where Median > 3000
| table request, Median