我将每个事件都作为一个 JSON 对象,下面由 Splunk 索引。我怎样才能有一个 Splunk 查询,以便我发现所有这些故障都发生在数组"failed"和"passed"数组中?
"output":{
"date" : "21-09-2017"
"failed": [ "fail_1", **"fail_2"** ],
"passed": [ "pass_1", "pass_2" , **"fail_2"**]
}
对于上面的示例,结果将是"fail_2"。
您可以执行以下操作:
| makeresults
| eval x = "{\"output\":{\"date\" : \"21-09-2017\",\"failed\": [ \"fail_1\", \"fail_2\"],\"passed\": [ \"pass_1\", \"pass_2\" , \"fail_2\"]}}"
| eval x = mvappend(x,"{\"output\":{\"date\" : \"21-09-2017\",\"failed\": [ \"f_1\", \"f_2\"],\"passed\": [ \"f_1\", \"pass_2\" , \"f_2\"]}}")
| mvexpand x
| streamstats count as id
| spath input=x
| rename "output.failed{}" as failed, "output.passed{}" as passed, "output.date" as date
| mvexpand failed
| eval common_field = if(isnotnull(mvfind(passed, failed)),failed,null)
| stats values(date) as date, values(failed) as failed, values(passed) as passed, values(common_field) as common_field by id
该示例包含 2 个示例日志事件,其中失败和通过具有共同值。streamstats然后用于为每个事件分配唯一 ID,因为我在您的示例中没有看到唯一 ID。spath 将 json 对象解析为字段。完成后,mvexpand为每个失败值创建一行。mvfindthen 用于查找与传递字段的任何值匹配的失败字段的值。然后使用分配的唯一 ID 再次组合相关行。