问题描述
你能帮我解决以下问题吗..
index=xyz
| eval BlockedStatus =
case(Like(src,"14.19.106.%") AND blocked=1,"Q Blocked",Like(src,"150.29.121.%") AND blocked=1,"14.19.106.%") AND blocked=0,"Q Not Blocked","150.29.121.%") AND blocked=0,NOT Like(src,"Non Q Blocked","Non Q Not Blocked","Non Q Not Blocked")
| stats count by eventtype BlockedStatus
| rename eventtype as "Local Market",count as "Total Critical Events"
因为我们有src=150.29.121.23和blocked=1的数据,但上面的查询给了我结果
"Non Q Blocked" instead of "Q Blocked"
不知道这里出了什么问题
解决方法
您的数据中必须与问题有所不同,因为该查询在我的沙箱中有效。
