0

我在 Splunk 中有一些日志事件,如下所示:

Payment request to app_name_foo for brand: B1, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring

Payment request to app_name_foo for brand: B1, app_id: A2, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring

Payment request to app_name_foo for brand: B2, app_id: A3, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring

Payment request to app_name_foo for brand: B2, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring

Payment request to app_name_foo for brand: B2, app_id: A4, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring

我正在尝试获取如下表:

BRAND     | CREDITCARD | DIRECTDEBIT | GPAY
B1        |    1       |    0        | 1   
B2        |    1       |    0        | 2

到目前为止我已经尝试过:

index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand" 
| chart  count over brand by method

index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand" 
| chart  count over brand by "payment method"

index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand" 
| chart count(eval(method==CREDITCARD)) AS CREDITCARD count(eval(method==DIRECTDEBIT)) AS DIRECTDEBIT count(eval(method==GPAY )) AS GPAY by brand

不幸的是,Splunk 似乎无法识别付款方式方法。上面的查询(以及我在互联网上找到的更多查询)没有产生任何结果。

如果我用app_id替换方法付款方式,那么我会得到一些结果。

我错过了什么?请帮忙。

4

1 回答 1

0

在使用字段之前,必须先提取它们。有很多方法可以做到这一点,其中一种使用extract命令。

index = app_name_foo sourcetype = app "Payment request to myApp for brand"
| extract kvdelim=":" pairdelim=","
| rename Payment_request_to_app_name_foo_for_brand as brand
| chart  count over brand by payment_method

您会注意到extract可能不会像预期的那样抓取字段名称。此外,空格替换为下划线。

现在我们有了可以使用的字段,让我们来谈谈输出。请告诉我们更多关于 CREDITCARD、DIRECTDEBIT 和 GPAY 列的派生方式。B1 如何仅从 2 个事件中获得 CREDITCARD 值 5?DIRECTDEBIT 来自哪里?GPAY 怎么能从 3 个事件中加到 5 个?

于 2021-12-29T13:09:07.470 回答