我有一些来自 Splunk 日志的数据,我需要确定在任何单个事件发生时同时运行的其他请求。
使用以下查询,我能够让它返回一个列,其中包含在我的开始时间和持续时间内同时运行的请求数。
index="sfdc" source="sfdc_event_log://EventLog_SFDC_Production_eventlog_hourly" EVENT_TYPE IN (API, RestAPI) RUN_TIME>20000
| eval endTime=_time
| eval permitTimeInSecs=(RUN_TIME-20000)/1000
| eval permitAcquiredTime=endTime-permitTimeInSecs
| eval dbTotalTime=DB_TOTAL_TIME/1000000
| concurrency start=permitAcquiredTime duration=permitTimeInSecs
| table _time API_TYPE EVENT_TYPE ENTITY_NAME apimethod concurrency permitAcquiredTime permitTimeInSecs RUN_TIME CPU_TIME dbtotalTime REQUEST_ID USER_ID
| fieldformat dbTotalTime=round(dbTotalTime,0)
| rename permitAcquiredTime as "Start Time", permitTimeInSecs as "Concurrency Duration", concurrency as "Concurrent Running Events", API_TYPE as "API Type", EVENT_TYPE as "Event Type", ENTITY_NAME as "Entity Name", apimethod as "API Method", RUN_TIME as "Run Time", CPU_TIME as "CPU Time", dbtotalTime as "DB Total Time", REQUEST_ID as "Request ID", USER_ID as "User ID"
| sort "Concurrent Running Events" desc
我现在正在尝试调查这些结果中的单个事件。例如,top 事件表示在它运行时,在 20 秒的时间窗口中运行了 108 个并发请求。
如何使用这些数据识别这 108 个事件?
我想它将查询具有特定时间范围范围的事件,但我不确定是否需要检查诸如_time + - 10 seconds查看 20 秒窗口内运行的内容之类的东西?
108 events对于这个顶级示例,只需要更多地了解这背后的数据。我在这里的最终目标是能够向仪表板添加向下钻取,以便当我单击 时108,我可以看到正在运行的那些事件。