0

嗨有来自以下查询的以下数据.. (index=abc OR index=def) |rex field=index "(?<Local_Market>[^cita]\w.*?)_" | 图表计数按阻止,Local_Market

阻塞配音 大鼠 mil 0 10 20 21 1 02 03 09 2 9 2 1

现在我想要如下数据

总锁定(总和 0 和总和 2)dub rat mil 总找到(总和 1)(10+20+21+9+2+1)=63 10 20 21(02+03+09)=14

4

2 回答 2

1

这个问题可以更好地格式化,但我认为你想要的是addcoltotals命令。

于 2021-03-18T11:14:59.160 回答
0

这个随处运行的例子很丑陋,但我相信它会产生预期的结果。

| makeresults 
| eval _raw="blocked dub rat mil
0       10  20  21
1       02  03  09
2       9   2   1"
| multikv forceheader=1
| fields - _time _raw linecount
```Skip the above - it just creates test data```
```Compute the total_bolocked field for blocked=0 and blocked=2```
| eval total_bolocked=if(blocked!=1,dub+mil+rat,0)
```Compute the total_found field for blocked=1```
| eval total_found=if(blocked=1, dub+mil+rat,0)
```Add up the total_bolocked fields.  This will include blocked=1, but we'll fix that below```
| eventstats sum(total_bolocked) as total_bolocked
```Set total_bolocked=0 if blocked is 1```
| eval total_bolocked=if(blocked=1,0, total_bolocked)
于 2021-03-18T14:58:07.543 回答