我需要编写一个Splunk查询来获取给定pid时的状态,应该打印最后一个状态,编写单个查询以获取状态但是dnt知道如何合并查询。提供了少量文档但无法找到一种方式。
"##payto"|rex field=msg "personid :(?<pid>[^,]+)" |rex field=msg ",(?<status>[^,\]]+)
//if this status is SUCCESS then i need to check for status of next step else i need to print this status
"Event :start"|rex field=msg "personid :(?<pid>[^,]+)"|rex field=msg " Status :(?<status>[^,]+)"
//if response is 200 then need to go to next step else print this status
答案 0 :(得分:0)
请试试这个:
| rex field=msg "personid :(?<pid>[^,]+)"
| rex field=msg ",(?<status>[^,\]]+)
| join type=left pid
[search "Event :start"
| rex field=msg "personid :(?<pid>[^,]+)"
| rex field=msg " Status :(?<status_2nd>[^,]+)"
| table pid, status_2nd
]
| eval status=if(status=200,status_2nd,status)
| table pid,status
P.S。我不记得函数if的确切语法。 :(