0

我需要编写一个 Splunk 查询以在给定 pid 时获取状态,应打印最后一个状态,编写单个查询以获取状态但不知道如何合并查询。参考了一些文档但找不到方法。

"##payto"|rex field=msg "personid :(?<pid>[^,]+)" |rex field=msg ",(?<status>[^,\]]+) 
//if this status is SUCCESS then i need to check for status of next step else i need to print this status

 "Event :start"|rex field=msg "personid :(?<pid>[^,]+)"|rex field=msg " Status :(?<status>[^,]+)"
//if response is 200 then need to go to next step else print this status
4

1 回答 1

0

请试试这个:

 | rex field=msg "personid :(?<pid>[^,]+)" 
    | rex field=msg ",(?<status>[^,\]]+)
    | join type=left pid
        [search  "Event :start"
        | rex field=msg "personid :(?<pid>[^,]+)"
        | rex field=msg " Status :(?<status_2nd>[^,]+)"
        | table pid, status_2nd
        ]
    | eval status=if(status=200,status_2nd,status)
    | table pid,status


PS我不记得 function 的确切语法if。:(

于 2018-04-10T09:19:12.710 回答