Question

我想知道是否有人可以帮助我。

关于我要编写的Splunk查询，我发表了以下文章：

https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html

我得到了很大的帮助，但是尽管花了几天时间专注于使用eval if语句，但“ Successful”和“ Unsuccessful”列仍然显示空白结果，我仍然遇到同样的问题。所以我想我会把范围扩大一些，请问是否有人可以看一下这个问题，并就如何解决这个问题提供一些指导。

非常感谢和问候

克里斯

Answer 1

我尝试通过splunkd-access日志探索您的用例，并提出了一个简单的SPL来帮助您。在此查询中，我实际上是加入2个搜索的输出，这些搜索汇总了所需的结果（不关心搜索性能）。

尝试一下。如果您可以访问_internal索引，则此操作将照常进行。您应该能够轻松地对此进行修改以适合您的事件（例如：将user替换为ClientID）。

index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log" 
| stats count as All sum(eval(if(status <= 303,1,0))) as Successful sum(eval(if(status > 303,1,0))) as Unsuccessful by user 
| join user type=left 
    [ search index=_internal source="/opt/splunk/var/log/splunk/splunkd_access.log" 
    | chart count BY user status ]

我更新了您的splunk社区答案（应该是这样）：

w2_wmf(RequestCompleted)`request.detail.Context="*test" 
| dedup eventId 
| rename request.ClientID as ClientID detail.statusCode AS statusCode 
| stats count as All sum(eval(if(statusCode <= 303,1,0))) as Successful sum(eval(if(statusCode > 303,1,0))) as Unsuccessful by ClientID 
| join ClientID type=left 
    [ search w2_wmf(RequestCompleted)`request.detail.Context="*test" 
    | dedup eventId 
    | rename request.ClientID as ClientID detail.statusCode AS statusCode 
    | chart count BY ClientID statusCode ]

Answer 2

我在Splunk中回答

https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html?childToView=729492#answer-729492

但是使用伪编码，看起来像

w2_wmf(RequestCompleted)`request.detail.Context="*test"
  | dedup eventId
  | rename request.ClientId as ClientID, detail.statusCode as Status
  | eval X_{Status}=1
  | stats count as Total sum(X_*) as X_* by ClientID
  | rename X_* as *

将为您提供ClientID，计数，然后为找到的每个状态代码提供一列，并在该列中提供每个代码的总和。

据我收集，您无法正常工作，该查询应显示实际的编码方式

`index=_internal sourcetype=*access
 | eval X_{status}=1
 | stats count as Total sum(X_*) as X_* by source, user
 | rename X_* as *`

这将给出类似的输出

统计计数Splunk查询

2 个答案: