我正在尝试编写一个splunk查询(如下所示),但将结果限制为每个cid 100个事件。我不能使用top和limit,因为它会改变输出。这是我到目前为止,我知道我应该使用|头x但我的语法有问题。 Q以下将输出每个cid的所有内容,但我试图限制它,所以我只得到每个cid 100点的样本。我真的很感激任何帮助。
index=unruly_sampled_ad_stats (t=pp_play OR t=pp_completed_view OR t=complete OR t=q2 OR t=q3 OR t=q4 OR t=click) adf=* demand_partner=unruly
(cid=* ) (crid=*) (apid=*) (pid=*)
|bin _time span=1d
|lookup uas_lookup http_user_agent as user_agent
|replace "Mobile Browser" with Mobile in ua_type
|replace Browser with Desktop in ua_type
|eval sampling_rate=coalesce(sampling_rate,1)
|eval play=if(t="pp_play",1/sampling_rate,0)
|eval pp_completed_view=if(t="pp_completed_view",1/sampling_rate,0)
|eval complete=if(t="complete",1/sampling_rate,0)
|eval click=if(t="click",1/sampling_rate,0)
|eval q2=if(t="q2",1/sampling_rate,0)
|eval q3=if(t="q3",1/sampling_rate,0)
|eval q4=if(t="q4",1/sampling_rate,0)
|stats sum(play), sum(pp_completed_view), sum(q2), sum(q3), sum(q4), sum(complete), sum(click) by adf, UID, apid, cid, crid, pid, ua_type, _time
答案 0 :(得分:0)
您可以在查询结尾添加顶部,以便在计算统计数据后,每个cid的结果限制为100。没有数据就可以进行调试,但要试一试。
|stats sum(play) as playSum, sum(pp_completed_view) as pp_completed_viewSum, sum(q2) as q2Sum, sum(q3) as q3Sum, sum(q4) as q4Sum, sum(complete) as completeSum, sum(click) as clickSum by adf, UID, apid, cid, crid, pid, ua_type, _time
|top 100 playSum,pp_completed_viewSum,q2Sum,q3Sum,q4Sum,completeSum,clickSum,adf,UID,apid,crid,pid,ua_type,_time by cid