问题描述
我需要创建一个报告来显示特定事件在splunk中的处理时间,为此,我需要获取所有相关事件并按ID进行分组。
我当前的splunk事件就像
{
"Timestamp": "Mon Sep 01 18:19:42 CDT 2020","Id": "567","Application": "TEST"
},{
"Timestamp": "Mon Sep 01 13:19:42 CDT 2020","Id": "567-test-00-10",{
"Timestamp": "Mon Sep 01 10:19:42 CDT 2020","Id": "567-test-03-10",{
"Timestamp": "Mon Sep 01 15:19:42 CDT 2020","Id": "567-test-01-10",{
"Timestamp": "Mon Sep 01 08:19:42 CDT 2020","Id": "567-test-02-10","Application": "TEST"
}
我需要获取最新和最旧的时间戳才能创建报告,但我很难按ID对它们进行分组。
我的想法是获取ID的第一部分并将其分组在一起,但我无法实现这一点。
我尝试了basesearch |eval id= mvindex(split(id,"-"),0) |stats last(Timestamp) as latestTime by id*无效。
我需要在报告中显示id,late(Timestamp),first(Timestamp)。我真的很感谢您的帮助
解决方法
我不确定如果找不到连字符for i in range(0,100):
row = 1 + i // 10
col = 1 + i % 10
print(row * col,end="\t")
if col == 10:
print()
会怎么做,因此可以尝试使用另一个查询。
[HttpGet("api/rundata/solutions/{solutionId}/dates/{dateId}/files/{fileId}")]
public async Task<IActionResult> GetFile(string solutionId,string dateId,string fileId,string account,string key,string mode="data")
{
var dataLakeFileSystemClient = _dataLakeTools.GetDataLakeFileSystemClient(account,key,"rundata");
var downloadResponse = await _dataLakeTools.DownloadFileAsync(dataLakeFileSystemClient,$"{solutionId}/{dateId}",fileId);
//returns the file itself
if (mode.Equals("file"))
{
using (var memoryStream = new MemoryStream())
{
downloadResponse.Value.Content.CopyTo(memoryStream);
var fileBytes = memoryStream.ToArray();
memoryStream.Close();
return File(fileBytes,"application/octet-stream");
}
}
//returns the contents of the file as a string
else if (mode.Equals("data"))
{
using (var memoryStream = new MemoryStream())
{
downloadResponse.Value.Content.CopyTo(memoryStream);
using(var streamReader = new StreamReader(memoryStream))
{
string contents = streamReader.ReadToEnd();
return Ok(contents);
}
}
}
return BadRequest();
}