我得到如下结果:
1. DateTime=2019-07-02T16:17:20,913 Thread=[], Message=[Message(userId=124, timestamp=2019-07-02T16:17:10.859Z, notificationType=CREATE, userAccount=UserAccount(firstName=S, lastName=K, emailAddress=abc@xyz.com, status=ACTIVE), originalValues=OriginalValue(emailAddress=null)) Toggle : true]
2. DateTime=2019-07-02T16:18:20,913 Thread=[], Message=[Message(userId=124, timestamp=2019-07-02T16:17:10.859Z, notificationType=CREATE, userAccount=UserAccount(firstName=S, lastName=K, emailAddress=abc@xyz.com, status=ACTIVE), originalValues=OriginalValue(emailAddress=new@xyz.com)) Toggle : true]
3. DateTime=2019-07-02T16:19:20,913 Thread=[], Message=[Message(userId=124, timestamp=2019-07-02T16:17:10.859Z, notificationType=CREATE, userAccount=UserAccount(firstName=S, lastName=K, emailAddress=abc@xyz.com, status=ACTIVE), originalValues=OriginalValue(emailAddress=new@xyz.com)) Toggle : true]
我正在尝试对结果进行分组,其中整个"Message"字段的内容相同,并且"emailAddress=null"不包含在消息中。
So in the results above 2 and 3 should be the output.
以下查询对我来说很好用,但我需要根据以下条件进一步优化它:
有效查询:index=app sourcetype=appname host=appname* splunk_server_group=us-east-2 | fields Message | search Message= "[Message*" | regex _raw!="emailAddress=null" | stats count(Message) as count by Message | where count > 1
要优化的条件
- 不能与原始人为战
- 消息键/值对必须位于主搜索中,而不是子搜索中
答案 0 :(得分:0)
当前查询中没有任何子搜索。子搜索是用方括号括起来的查询。
雷克斯对_raw有什么问题?
尝试一下:
index=app sourcetype=appname host=appname* splunk_server_group=us-east-2 Message="[Message*"
| fields Message
| regex Message!="emailAddress=null"
| stats count(Message) as count by Message | where count > 1