我有一个日志文件,记录处理文件的开始和结束时间。这些条目包含如下字符串:
=============== STARTED PROCESSING FILE filename at Thu Jul 19 00:03:55 2018 EDT===============
=============== FINISHED PROCESSING FILE filename at Thu Jul 19 00:04:05 2018 EDT===============
最初,我想出了一个使用_time的查询:
processing.log "FINISHED PROCESSING FILE" OR "STARTED PROCESSING FILE" | rex field=_raw "(?<filename>\S*)" | stats count first(_time) as start last(_time) as finished by filename | eval duration = abs( finished - start)
在我意识到完成和开始的_time可能相隔数小时之后,即使实际处理达到10秒(如上例中所示),这似乎也能正常工作。因此,现在我尝试执行以下查询:
processing.log "FINISHED PROCESSING FILE" OR "STARTED PROCESSING FILE" | rex field=_raw "(?<filename>\S*) at (?<ptime>.*) EDT" | eval stime=strptime(ptime,'%a %B %d %Y %H:%M:%S')| stats count first(stime) as start last(stime) as finished by filename | eval duration = abs( finished - start)
但是,它不能提供显示每个文件名的处理持续时间的预期结果。我在做什么错/该如何解决?
答案 0 :(得分:0)
尝试使用...| stats count first(stime) as start last(stime) as finished by filename |eval duration = abs( finished - start)代替... | stats count range(stime) as duration by filename