如何统计 Splunk 中的结果并将它们放入 table?

How to count results in Splunk and put them in a table?

我正在尝试在 Splunk 中创建一个 table,其中包含几个提取的字段以及当我为 Splunk 提供要搜索的字符串时得到 returned 的条目总数的计数.我遇到的问题是,当我使用 stats 命令计算得到 returned 的结果并将其通过管道传输到 table 时,它只是将所有字段留空但显示结果计数的值 returned。如果没有计数逻辑,table 会显示我所追求的所有值。下面是我的示例查询:

index=test "Failed to find file"
| table host, sourceUser, sourceApp, source
| rename host as "Server", sourceUser as "User", sourceApp as "Application", source as "Log"

以下是示例结果(两行 CSV,因为我不能 post 图片):

服务器、用户、应用程序、日志

myserver1,joesmith,RadomApp,C:\Users\Joe\Log.txt

这将 return 我要求的所有字段。如果我添加统计命令(如下所示),它 return 是一个包含所有列的 table,但唯一有数据的是 "Error Count" 列:

index=test "Failed to find file"
| stats count as error
| table host, sourceUser, sourceApp, source, error
| rename host as "Server", sourceUser as "User", sourceApp as "Application", source as "Log", error as "Error Count"

示例结果:

服务器、用户、应用程序、日志、错误计数

,1

知道解决此问题的最佳方法是什么吗?

我认识的人提出了解决方案,我需要更改 'stats' 行,以便最终查询如下所示:

index=test "Failed to find file"
| stats count as error by host, sourceUser, sourceApp, source
| table host, sourceUser, sourceApp, source, error
| rename host as "Server", sourceUser as "User", sourceApp as "Application", source as "Log", error as "Error Count"