通过以下查询,我得到了一个特定的 和 Request-Responsetime()Requesttime的Responsetime统计信息:diffid
(index=something "Request") OR (index=something "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| table _time id
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id
我现在想要得到的是diff每 1 分钟平均值的时间表。
我试图用stats第二个table命令和命令替换命令,timechart但没有任何效果。
注意:Requesttime和Reponsetime在不同的事件中。
我找到了一个解决方案:
(index=something "Request") OR (index=something "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| stats earliest(_time) as earliestTime latest(_time) as latestTime by id
| eval duration=latestTime-earliestTime
| eval _time=earliestTime
| timechart span=1m avg(duration) as avgRequestResponseTime
| fillnull value=0 avgRequestResponseTime
| eval avgRequestResponseTime=round(avgRequestResponseTime,4)
timechart要求隐藏字段_time仍然存在 - 在此示例中,没有_time字段
所以你需要“伪造”你的时间表——或者你需要以_time某种方式或其他方式回来
这些方面的东西应该起作用:
index=ndx ("Request" OR "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id date_minute
| stats avg(diff) as avg by id date_minute
(我去掉了多余的第一| table行,因为它会减慢搜索速度,并| stats在完成后生成一个表格)