如何评估代表另一个字段长度的Splunk字段?
我已将以下包含 JSON 行的示例文件加载到 Splunk 中:
{"duration":2134,"input":["foo","bar"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.14427-07:00"}
{"duration":997,"input":["baz"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.144526-07:00"}
Splunk 已解析这些字段,使得 input 字段是一个列表: 
我想生成一个包含输入长度(元素数量)和 duration 字段的表格。遵循 https://docs.splunk.com/Documentation /StreamProcessor/standard/FunctionReference/List#length.28input.29,我已经尝试过
msg="Processed input"
| eval N=length(input)
| table N, duration
,但这不会产生 N 的值:
确定 N 的正确方法是什么?
I've loaded the following example file containing lines of JSON into Splunk:
{"duration":2134,"input":["foo","bar"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.14427-07:00"}
{"duration":997,"input":["baz"],"level":"info","msg":"Processed input","time":"2022-04-07T08:10:23.144526-07:00"}
Splunk has parsed these fields such that the input field is a list:
I would like to generate a table of the length of (number of elements in) the input and the duration field. Following https://docs.splunk.com/Documentation/StreamProcessor/standard/FunctionReference/List#length.28input.29, I've tried
msg="Processed input"
| eval N=length(input)
| table N, duration
but this yields no values for N:
What would be the correct way to determine N?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用
mvCount('input {}')在length(input)edit> edit:在
input> input {}as周围放置单个引号{,}是特殊字符。Use
mvcount('input{}')in replace oflength(input)Edit: Put Single quotes around
input{}as{,}are special characters.