多重搜索没有达到我的预期
我们选择的消息格式使用称为范围的字段来控制所需的聚合级别(按 request_type、站点、区域、集群)。范围通过下拉菜单设置并作为令牌传递。我想使用多重搜索来合并 4 个不同搜索的结果。因此,如果范围是站点,则仅显示站点搜索的结果。
实际搜索:
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| multisearch
[search $request_type_token$ | where "$scope_token$" == "request_type" ]
[search $request_type_token$ $site_token$ | where "$scope_token$" == "site"]
[search $request_type_token$ $site_token$ $zone_token$ | where "$scope_token$" == "zone"]
[search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_token$" == "cluster"]
| timechart cont=FALSE span=$span_token$ sum(success) by request_type
用文字值替换标记后进行搜索。
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| multisearch
[search request_type="*"
| where "site" == "request_type" ]
[search request_type="*" site="RTP"
| where "site" == "site"]
[search request_type="*" site="RTP" zone="*"
| where "site" == "zone"]
[search scope=site request_type="*" site="RTP" zone="*" cluster="*"
| where "site" == "cluster"]
| timechart cont=FALSE span=hour sum(success) by request_type
但是......这个查询的结果相当于根本没有搜索,我基本上不过滤任何东西。
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| timechart cont=FALSE span=hour sum(success) by request_type
此查询和上面的查询给出相同的结果。我在这里缺少什么?当我分别执行多重搜索的每个部分时,结果是正确的。除了“where“site”==“site””搜索之外,我得到的所有结果都是空的。但是当我运行整个查询时,我根本没有得到任何过滤。帮助!
The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I wanted to use multi-search to coalesce the results of 4 different searches. So that if the scope was site, only the results from the site search would be shown.
Actual Search:
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| multisearch
[search $request_type_token$ | where "$scope_tokenquot; == "request_type" ]
[search $request_type_token$ $site_token$ | where "$scope_tokenquot; == "site"]
[search $request_type_token$ $site_token$ $zone_token$ | where "$scope_tokenquot; == "zone"]
[search scope=$scope_token$ $request_type_token$ $site_token$ $zone_token$ $cluster_token$ | where "$scope_tokenquot; == "cluster"]
| timechart cont=FALSE span=$span_token$ sum(success) by request_type
Search after token substitution with literal values.
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| multisearch
[search request_type="*"
| where "site" == "request_type" ]
[search request_type="*" site="RTP"
| where "site" == "site"]
[search request_type="*" site="RTP" zone="*"
| where "site" == "zone"]
[search scope=site request_type="*" site="RTP" zone="*" cluster="*"
| where "site" == "cluster"]
| timechart cont=FALSE span=hour sum(success) by request_type
BUT ... the results of this query are equivalent to no search at all and I basically do not filter anything.
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| timechart cont=FALSE span=hour sum(success) by request_type
This query and the one above give the same result. What am I missing here? When I execute each part of the multi-search separately, the results are correct. I get empty results for all but the 'where "site" == "site"' search. But when I run the whole query I get no filtering at all. Help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,我认为您正在寻找的是
site的 值 以匹配request_type(在最初的multisearchsearch行) - 但您在where子句中实际检查的是文本 < code>“site” 等于文本“request_type”。当然,事实并非如此!首先删除
multisearch的第二行(因为将site与site进行比较将始终为真),并且使用upper()和match():使用
cluster="rtp"而不是cluster=* 会更容易在这里,但我留下了这个习惯用法upper()ing 和match()ing 用于读取一致性First, I think what you're looking for is the value of
siteto matchrequest_type(in the initialmultisearchsearchline) - but what you're actually checking for in thewhereclause is whether the text"site"equals the text"request_type". And, of course, that is not the case!Start by removing the second line of the
multisearch(since comparingsitetositewill always be true), and usingupper()andmatch():it would be even easier to do
cluster="rtp"instead ofcluster=*here, but I've left the idiom ofupper()ing andmatch()ing for reading consistency