我是 Splunk 的新手;我有一个类似的查询:
org_name="Something" app_name=MY_APP status_code=401 requesturl=/api/hi
并返回如下结果:
app_name: MY_APP
org_name: something
space_name: space
job: router
message_type: OUT
msg: my.domain.com - [2021-03-08T15:49:54.049006875Z] "POST /api/hiHTTP/1.1" 401 347 147 "-" "insomnia/7.0.3" "10.158.192.20:46006" "10.158.192.158:61002" x_forwarded_for:"208.127.201.110, 2.20.143.172, 10.158.192.20" x_forwarded_proto:"https" vcap_request_id:"539a9655-3198-4604-775c-306a750ca7e5" response_time:0.008447 gorouter_time:0.000489 app_id:"9ecffb96-0b8b-4a7a-be74-484ed6b6f589" app_index:"4" x_cf_routererror:"-" x_mc_correlation_id:"0.ac8f1402.1615218593.dafa73c" x_correlation_id:"-" correlation_id:"0.ac8f1402.1615218593.dafa73c" x_b3_traceid:"0ca5ab5513f3cb99" x_b3_spanid:"0ca5ab5513f3cb99" x_b3_parentspanid:"-" b3:"0ca5ab5513f3cb99-0ca5ab5513f3cb99"
origin: gorouter
source_instance: 7
source_type: RTR
timestamp: 1615218594057716500
我需要用
搜索所有条目 <块引用>correlation_id:"0.ac8f1402.1615218593.dafa73c"
键可以是correlation_id、XC_correlation_id、MC-REAL_correlation_id等...
答案 0 :(得分:0)
有几种方法可以做到这一点,使用哪种方法取决于您对字段和键名的具体程度。尝试以下命令之一:
| searchmatch("\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")
| where match(msg, "\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")
| regex "\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")
| regex field=msg "\s.*correlation_id:\"0.ac8f1402.1615218593.dafa73c\"")