Splunk:合并多行中的字段

编程问答 2023-02-13

问题描述

上下文

说我的日志结构是这样的

TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers} # I want this
TID: http-incoming-972453 >> Accept: application/json {org.apache.synapse.transport.http.headers}
TID: http-incoming-972453 >> Host: some.organization.com {org.apache.synapse.transport.http.headers}
.....
TID: http-outgoing-8816 >> POST /oauth2/token HTTP/1.1 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Content-Type: application/x-www-form-urlencoded {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> transfer-encoding: chunked {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Host: some.other.organization.intra:9444 {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> Connection: Keep-Alive {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 >> User-Agent: Synapse-PT-HttpComponents-NIO {org.apache.synapse.transport.http.headers}
TID: http-outgoing-8816 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}
.....
TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers} # with this
TID: http-incoming-972453 << x-frame-options: DENY {org.apache.synapse.transport.http.headers}
.....

我已经调整了props.conf,以便

TID: http-incoming-972453 >> POST /token HTTP/1.1 {org.apache.synapse.transport.http.headers}

最终被以下字段编入索引

  • httpRequestId 972453
  • ressourceName /token 

TID: http-incoming-972453 << HTTP/1.1 200 OK {org.apache.synapse.transport.http.headers}

使用

  • httpRequestId 972453
  • httpStatus 200

我正在寻找一种计数请求的方法,该请求由 httpStatus ressourceName 使用 httpRequestId 作为联接

进行汇总

尝试

由于有关ressourceNamehttpStatus的信息发生在不同的事件上,因此我想到使用 join 。这没有任何结果

index=* role="gw" httpAction="incoming" | join type=outer httpRequestId [fields ressourceName,httpStatus] | stats count by ressourceName,httpStatus

在阅读Splunk文档时,我还遇到了selfjoin,其结果仅是部分

index=* role="gw" httpAction="incoming" | selfjoin httpRequestId | stats count by ressourceName,httpStatus

如何合并多个事件中的字段以得到类似

的结果 
/somewhere           200         30
/somewhere           403         1
/somewhere/else      200         15

解决方法

您可能想看看使用transaction命令。

index=* role="gw" httpAction="incoming" | transaction httpRequestId | stars count by ressourceName,httpStatus

根据要分析的数据量和时间范围,交易或联接就足够了。

,

您对join的使用不正确。子搜索必须是有效的搜索,以“ search”或“ |”开头。

尝试使用stats命令。

index=foo role=gw httpAction="Incoming
| stats values(*) as * by httpRequestId
splunksplunk-query