0

index="index1" sourcetype=sourcetype1 | join commonfield [ search <br>index="index2" sourcetype=sourcetype2 ] | sort _time | stats <br>last(index1field1) as state by index2field1, index1field2, index1field3 <br>| where index1field1 != "UP" | dedup index2field1 | stats count

我想在不使用统计信息和 OR 的情况下优化此查询,有人可以帮我吗?

4

1 回答 1

0 
(index="index1" sourcetype=sourcetype1) OR (index="index2" sourcetype=sourcetype2)
| stats values(*) AS *, values(_*) as * by commonfield

这将是一个相当好的起点。最初引入两组数据,然后合并来自两个源的所有字段,基于commonfield

于 2018-10-10T03:22:56.297 回答