我将每个事件都作为JSON对象,其下面由Splunk索引。如何才能找到Splunk查询,以便找到恰好存在于"failed"和"passed"数组中的所有此类错误?
"output":{
"date" : "21-09-2017"
"failed": [ "fail_1", **"fail_2"** ],
"passed": [ "pass_1", "pass_2" , **"fail_2"**]
}
对于上面的示例,结果将是"fail_2"。
答案 0 :(得分:0)
您可以执行以下操作:
| makeresults
| eval x = "{\"output\":{\"date\" : \"21-09-2017\",\"failed\": [ \"fail_1\", \"fail_2\"],\"passed\": [ \"pass_1\", \"pass_2\" , \"fail_2\"]}}"
| eval x = mvappend(x,"{\"output\":{\"date\" : \"21-09-2017\",\"failed\": [ \"f_1\", \"f_2\"],\"passed\": [ \"f_1\", \"pass_2\" , \"f_2\"]}}")
| mvexpand x
| streamstats count as id
| spath input=x
| rename "output.failed{}" as failed, "output.passed{}" as passed, "output.date" as date
| mvexpand failed
| eval common_field = if(isnotnull(mvfind(passed, failed)),failed,null)
| stats values(date) as date, values(failed) as failed, values(passed) as passed, values(common_field) as common_field by id
该示例包含2个示例日志事件,其中失败和传递具有公共值。然后使用streamstats为每个事件分配一个唯一ID,因为我没有在您的示例中看到唯一ID。 spath将json对象解析为字段。完成后,mvexpand为每个失败值创建一行。然后,mvfind用于查找与传递字段的任何值匹配的失败字段的值。然后使用分配的唯一ID再次组合相关行。