如何与原始字段一起显示Splunk Map操作的结果?
我正在使用一个简化的示例,其中工作人员可以有多个生命周期来执行任务。 (这类似于用户登录不同会话并执行 https://community.splunk.com/t5/Splunk-Search/Any-example-for-MAP-command/mp/88473)。
当任务启动时,会记录 taskID 和 lifecycleID。但是,我还想查找相应的 workerID ,它在生命周期开始时与上一个日志行中的 lifecycleID 一起记录。
考虑以下示例数据:
{
"level": "info",
"lifecycleID": "af331787-654f-441f-ac06-21b6b7e0c984",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.07991-07:00",
"workerID": "c51df20b-f157-4002-8292-4583ebd3ba9e"
}
{
"level": "info",
"lifecycleID": "af331787-654f-441f-ac06-21b6b7e0c984",
"msg": "Started task",
"taskID": "9de93d09-5e6e-4648-9488-dda0e3e58765",
"time": "2022-04-02T21:15:38.181107-07:00"
}
{
"level": "info",
"lifecycleID": "03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.282264-07:00",
"workerID": "c51df20b-f157-4002-8292-4583ebd3ba9e"
}
{
"level": "info",
"lifecycleID": "03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9",
"msg": "Started task",
"taskID": "243bf757-85c6-4c6e-9eec-6d74886ec407",
"time": "2022-04-02T21:15:38.383176-07:00"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.483304-07:00",
"workerID": "0b82966c-cc98-48f0-9a36-a699e2cee48c"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Started task",
"taskID": "864819ed-208d-4d3d-96b9-1af4c4c42b08",
"time": "2022-04-02T21:15:38.584478-07:00"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Finished task",
"taskID": "864819ed-208d-4d3d-96b9-1af4c4c42b08",
"time": "2022-04-02T21:15:38.684633-07:00"
}
我想生成一个表,其中显示启动的三个任务中每一个的 workerID、lifecycleID 和 taskID 。到目前为止,我想出的是
index="workers" msg="Started task"
| stats count by lifecycleID
| map search="search index=workers msg=\"Started lifecycle\" lifecycleID=$lifecycleID$"
| table workerID, lifecyleID, taskID
然而,这似乎并没有保留 lifecycleID 和 taskID (就像我省略 地图并简单地按生命周期ID、任务ID进行计数):
如何才能显示表中的所有三个值?
更新
我已经使用子搜索尝试了 RichG 的答案,
index=workers msg="Started lifecycle"
[ search index="workers" msg="Started task"
| stats count by lifecycleID
| fields lifecycleID
| format ]
| table workerID, lifecyleID, taskID
但它生成的输出与我自己使用 map 尝试生成的输出相同,即没有 lifecycleID 或 <代码>任务ID:
I'm working with a simplified example in which there are workers which can have multiple lifecycles in which they perform tasks. (This is similar to the example of users logging into different sessions and performing shell commands given in https://community.splunk.com/t5/Splunk-Search/Any-example-for-MAP-command/m-p/88473).
When a task is started, a taskID and lifecycleID is logged. However, I would also like to look up the corresponding workerID which would have been logged together with the lifecycleID in a previous log line when the lifecycle started.
Consider the following example data:
{
"level": "info",
"lifecycleID": "af331787-654f-441f-ac06-21b6b7e0c984",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.07991-07:00",
"workerID": "c51df20b-f157-4002-8292-4583ebd3ba9e"
}
{
"level": "info",
"lifecycleID": "af331787-654f-441f-ac06-21b6b7e0c984",
"msg": "Started task",
"taskID": "9de93d09-5e6e-4648-9488-dda0e3e58765",
"time": "2022-04-02T21:15:38.181107-07:00"
}
{
"level": "info",
"lifecycleID": "03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.282264-07:00",
"workerID": "c51df20b-f157-4002-8292-4583ebd3ba9e"
}
{
"level": "info",
"lifecycleID": "03d2148c-b697-4d8e-a3ca-f0fb68d2bbb9",
"msg": "Started task",
"taskID": "243bf757-85c6-4c6e-9eec-6d74886ec407",
"time": "2022-04-02T21:15:38.383176-07:00"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Started lifecycle",
"time": "2022-04-02T21:15:38.483304-07:00",
"workerID": "0b82966c-cc98-48f0-9a36-a699e2cee48c"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Started task",
"taskID": "864819ed-208d-4d3d-96b9-1af4c4c42b08",
"time": "2022-04-02T21:15:38.584478-07:00"
}
{
"level": "info",
"lifecycleID": "9cab44b4-5600-47b3-9acd-47b2641cb0d5",
"msg": "Finished task",
"taskID": "864819ed-208d-4d3d-96b9-1af4c4c42b08",
"time": "2022-04-02T21:15:38.684633-07:00"
}
I would like to generate a table which shows the workerID, lifecycleID, and taskID for each of the three tasks started. So far what I've come up with is
index="workers" msg="Started task"
| stats count by lifecycleID
| map search="search index=workers msg=\"Started lifecycle\" lifecycleID=$lifecycleIDquot;
| table workerID, lifecyleID, taskID
However, this doesn't appear to retain the lifecycleID and taskID (like it would if I were to omit the map and simply count by lifecycleID, taskID):
How can I make it such that I can display all three values in the table?
Update
I've attempted RichG's answer using a subsearch,
index=workers msg="Started lifecycle"
[ search index="workers" msg="Started task"
| stats count by lifecycleID
| fields lifecycleID
| format ]
| table workerID, lifecyleID, taskID
but it generates output that is identical to the one generated in my own attempt using a map, i.e. without the lifecycleID or taskID:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
尝试使用子搜索而不是
map。在下面的子搜索中(方括号内的部分),将生成唯一的生命周期 ID 值列表,并将其格式化为(lifecycleID="foo" OR LifecycleID="bar")。该字符串将替换子搜索,以生成对具有指定生命周期 ID 之一的所有“已启动生命周期”事件的搜索。组合事件的另一种方法是
stats命令。请参阅下面的随处运行示例。Try using a subsearch instead of
map. In the subsearch below (the part inside square brackets), a list of unique lifecycleID values is produced and formatted into(lifecycleID="foo" OR lifecycleID="bar"). That string is substituted for the subsearch to produce a search for all "Started lifecycle" events with one of the specified lifecycleID's.Another method for combining events is the
statscommand. See the run-anywhere example below.我意识到这可以通过
JOIN查询来实现:结果如下所示。
I realized that this could be achieved by a
joinquery:The results are shown below.