共享应用程序日志:
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45"
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"
问题:在 splunk 仪表板中查找耗时超过 500 毫秒的 API 总数?
请分享 splunk 查询以找出以下数据。
两列表中的预期输出显示:
延迟 API 名称:queryAPI
总出现次数:1
根据您的样本数据:
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,617.195517, pId:45"
2021-08-25T20:45:17.382Z level=info module=xyz pid=45 message="queryAPI, Execution Time(ms):,231.195517, pId:45"
像这样的东西应该工作:
index=ndx sourcetype=srctp message=*
| rex field=message "(?<apiname>\w+).+\,(?<exectime>\d+\.\d+).+:(?<pid>\d+)$"
| where exectime>500
| stats values(exectime) as longtimes by apiname pid
我假设您message已经提取了该字段,并且已经从该字段中提取了apiname, exectime, andpidmessage