问题描述
我想要实现的是将两个聚合字段 sum(discoverCountOld) 的总和显示为 VisitsdiscoveredOld 并将 sum(discoverCount) 显示为 Visitsdiscovered 作为新列而不是这两个字段
_source="src" and _collector="collector"
| parse regex "Finished cataloging (?<discoverCountOld>\d+) visits for state " nodrop
| parse regex "Finished cataloging visits: Visit count: (?<discoverCount>\d+)" nodrop
| parse regex "Finished submitting (?<SubmitCount>\d+) visits for state CO" nodrop
| parse regex "Finished updating status for (?<UpdateCount>\d+) visits for state CO"
| fields discoverCountOld,discoverCount,SubmitCount,UpdateCount
| timeslice 1d
| sum(discoverCountOld) as VisitsdiscoveredOld,sum(discoverCount) as Visitsdiscovered,sum(SubmitCount) as VisitsSubmitted,sum(UpdateCount) as VisitsUpdated group by _timeslice
| fillmissing timeslice(1d)
| sort by _timeslice asc
解决方法
这是找到的答案:
_source="_source" and _collector="-collector"
| parse regex "Finished cataloging (?<DiscoverCountOld>\d+) visits for state " nodrop
| parse regex "Finished cataloging visits: Visit count: (?<DiscoverCount>\d+)" nodrop
| parse regex "Finished submitting (?<SubmitCount>\d+) visits for state CO" nodrop
| parse regex "Finished updating status for (?<UpdateCount>\d+) visits for state CO"
| timeslice 1d
| sum(DiscoverCountOld) as VisitsDiscoveredOld,sum(DiscoverCount) as VisitsDiscoveredNew,sum(SubmitCount) as VisitsSubmitted,sum(UpdateCount) as VisitsUpdated group by _timeslice
| VisitsDiscoveredOld+VisitsDiscoveredNew as VisitsDiscovered
| fields _timeslice,VisitsDiscovered,VisitsSubmitted,VisitsUpdated
| fillmissing timeslice(1d)
| sort by _timeslice asc