0

所以我有一些格式为

Time                | UUID           |  event_name_status            | actual_important_log_time 
---------------------------------------------------------------------------------------------------------------
2020-03-26T12:00:00 | 123456789      |  car_end                      | 2020-03-25T16:50:30
2020-03-26T12:00:00 | 123456789      |  car_mid                      | 2020-03-25T16:40:30
2020-03-26T12:00:00 | 123456789      |  car_start                    | 2020-03-25T16:30:30
2020-03-26T12:00:00 | 123456788      |  car_end                      | 2020-03-25T15:50:30
2020-03-26T12:00:00 | 123456788      |  car_mid                      | 2020-03-25T15:20:30
2020-03-26T12:00:00 | 123456788      |  car_start                    | 2020-03-25T14:50:30

这是一个一致的模式,每个事务都有一个开始、中间和结束,每个事务都有不同的 UID(其他事务也有不同的车辆)。

我目前使用以下搜索命令将它们分组到事务中。

* | transaction UUID startswith="car_start" endswith="car_end"

哪些交易分组显示了过去 X 时间长度内的交易数量(一天可能是数百/数千。

我需要使用actual_important_log_time字段获取每个事务的持续时间,然后使用这些值来获取平均值

4

1 回答 1

0 
| makeresults
| eval _raw="Time,UUID,event_name_status,actual_important_log_time
2020-03-26T12:00:00,123456789,car_end,2020-03-25T16:50:30
2020-03-26T12:00:00,123456789,car_mid,2020-03-25T16:40:30
2020-03-26T12:00:00,123456789,car_start,2020-03-25T16:30:30
2020-03-26T12:00:00,123456788,car_end,2020-03-25T15:50:30
2020-03-26T12:00:00,123456788,car_mid,2020-03-25T15:20:30
2020-03-26T12:00:00,123456788,car_start,2020-03-25T14:50:30"
| multikv forceheader=1
| table Time,UUID,event_name_status,actual_important_log_time
| foreach *time [ eval <<FIELD>> = strptime('<<FIELD>>', "%FT%T")]
| stats range(actual_important_log_time) as duration by UUID Time
| eval duration=tostring(round(duration),"duration")
| rex field=duration mode=sed "s/(\d+):(\d+):(\d+)/\1h \2m \3s/g"

此查询按每个 UUID 生成持续时间。现在,我将持续时间设为可读。如果要聚合平均值,请更改Time为 epoch 并重命名为_timeafter stats。并使用timechart

于 2020-04-05T05:58:10.047 回答