0

你能帮我下面的..

index=xyz 
| eval BlockedStatus =  
case(Like(src,"14.19.106.%") AND blocked=1 ,"Q Blocked", 
            Like(src,"150.29.121.%") AND blocked=1,"Q Blocked",
            Like(src,"14.19.106.%") AND blocked=0,"Q Not Blocked", 
            Like(src,"150.29.121.%") AND blocked=0,"Q Not Blocked",
            NOT Like(src,"14.19.106.%") AND blocked=1,"Non Q Blocked", 
            NOT Like(src,"150.29.121.%") AND blocked=1,"Non Q Blocked",
            NOT Like(src,"14.19.106.%") AND blocked=0,"Non Q Not Blocked", 
            NOT Like(src,"150.29.121.%") AND blocked=0,"Non Q Not Blocked")            
| stats count by eventtype BlockedStatus 
| rename eventtype as "Local Market", count as "Total Critical Events"

因为我们有 wheresrc=150.29.121.23blocked=1以上查询的数据,所以结果为

"Non Q Blocked" instead of "Q Blocked"

不知道这里出了什么问题

4

1 回答 1

0

您的数据与问题中的某些内容必须有所不同,因为该查询在我的沙箱中有效。

在此处输入图像描述

于 2021-01-13T15:01:57.203 回答