amazon-cloudwatch aws-cloudwatch-log-insights

日志见解查询 - 通过数据透视进行分组

发布于 2025-01-15 09:33:43 字数 2446 浏览 3 评论 0原文

我有一个 CloudWatch 日志流，其中包含如下所示的结构化记录：

type	env
type1	dev
type1	prod
type2	dev

我想通过 env 查询每种类型的计数（以绘制它们的图表）

相当于以下 SQL 语句：

SELECT 
   SUM(CASE WHEN env = 'dev' THEN 1 ELSE 0 END) AS dev, 
   SUM(CASE WHEN env = 'prod' THEN 1 ELSE 0 END) AS prod 
FROM TABLE 
GROUP BY type

I已经编写了以下查询：

fields @timestamp, record.type as type, record.env as env
| stats count(env="dev") as dev, count(env="prod") as prod by type

期望得到以下结果：

type	dev	prod
type1	1	1
type2	1	0

但不幸的是，无论应用内部的过滤器如何，我都会得到相同的两列计数count() 如下：

如何实现我需要的输出

注意

我可以执行以下查询来获取按每个 env：

fields @timestamp, record.type as type, record.env as env
| stats count(*) by type, env

我会得到：

类型	env	count()
type1	dev	1
type1	prod	1
type2	dev	1

但我需要旋转版本

原文

I have a CloudWatch log stream that contains structured records like the following:

type	env
type1	dev
type1	prod
type2	dev

I'd like to query the counts of each type by the env (to graph them)

Something equivalent to the following SQL statement:

SELECT 
   SUM(CASE WHEN env = 'dev' THEN 1 ELSE 0 END) AS dev, 
   SUM(CASE WHEN env = 'prod' THEN 1 ELSE 0 END) AS prod 
FROM TABLE 
GROUP BY type

I've written the following query:

fields @timestamp, record.type as type, record.env as env
| stats count(env="dev") as dev, count(env="prod") as prod by type

expecting to get the following result:

type	dev	prod
type1	1	1
type2	1	0

But unfortunately, I'm getting the same count for both columns regardless of the applied filter inside the count() as follows:

How can I achieve the output I need

Note

I can do the following query to get the results grouped by each env:

fields @timestamp, record.type as type, record.env as env
| stats count(*) by type, env

I'll get :

type	env	count()
type1	dev	1
type1	prod	1
type2	dev	1

But I need the pivoted version

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

_蜘蛛 2025-01-22 09:33:43

对于这样一个简单的情况，即

仅需要 count 或 sum(field)
时且选项数量有限（例如 dev、beta、 gamma,prod)

你可以执行以下

fields record.type as type, record.docsCount as docsCount
| fields (record.env="dev") as IsDev, (record.env="prod") as isProd
| stats 
   sum(isDev) as devEntries, 
   sum(isDev * docsCount) as devDocsCount,
   sum(isProd) as prodEntries, 
   sum(isProd * docsCount) as prodDocsCount 
  by type

操作注意，上面的方法不适用于需要诸如 avg、stddev 等统计数据的情况。

avg(isDev * docsCount ) 将为prod 行，这些零将影响输出。

For such a simple case, i.e. when

only count or sum(field) is required
and number of options is limited (e.g. dev,beta,gamma,prod)

you can do following

fields record.type as type, record.docsCount as docsCount
| fields (record.env="dev") as IsDev, (record.env="prod") as isProd
| stats 
   sum(isDev) as devEntries, 
   sum(isDev * docsCount) as devDocsCount,
   sum(isProd) as prodEntries, 
   sum(isProd * docsCount) as prodDocsCount 
  by type

Note, approach above does not work for the cases when you need statistics like avg, stddev etc.

avg(isDev * docsCount) will produce zeroes for the prod rows, and those zeroes will impact output.

回复收藏 0 原文

~没有更多了~