Splunk:来自多个事件的统计数据并期望一个组合输出
Splunk: Stats from multiple events and expecting one combined output
我有以下活动
event_a 有 time_a 和 MAS_A 字段
event_b 有 time_b 和 MAS_B 字段
event_c 有 time_c 和 MAS_C 字段
sourcetype="app" eventtype in (event_a,event_b,event_c)
| stats avg(time_a) as "Avg Response Time" BY MAS_A
| eval Avg Response Time=round('Avg Response Time',2)
我从上面的搜索得到的输出是两个字段 MAS_A 和 Avg Response Time
我正在尝试在同一搜索 SPL 中为 event_b 和 event_c 获取此信息,并期望最终输出只有两个字段
MAS_A_B_C 和 Avg Response Time
这就是你想要的吗?一些示例事件可能有助于您的查询。
sourcetype="app" eventtype in (event_a,event_b,event_c)
| eval time_value=coalesce(time_a, time_b, time_c)
| eval MAS_value =coalesce(MAS_A,MAS_B,MAS_C)
| stats avg(time_value) as "Avg Response Time" BY MAS_value
| eval Avg Response Time=round('Avg Response Time',2)
我有以下活动
event_a 有 time_a 和 MAS_A 字段
event_b 有 time_b 和 MAS_B 字段
event_c 有 time_c 和 MAS_C 字段
sourcetype="app" eventtype in (event_a,event_b,event_c)
| stats avg(time_a) as "Avg Response Time" BY MAS_A
| eval Avg Response Time=round('Avg Response Time',2)
我从上面的搜索得到的输出是两个字段 MAS_A 和 Avg Response Time
我正在尝试在同一搜索 SPL 中为 event_b 和 event_c 获取此信息,并期望最终输出只有两个字段
MAS_A_B_C 和 Avg Response Time
这就是你想要的吗?一些示例事件可能有助于您的查询。
sourcetype="app" eventtype in (event_a,event_b,event_c)
| eval time_value=coalesce(time_a, time_b, time_c)
| eval MAS_value =coalesce(MAS_A,MAS_B,MAS_C)
| stats avg(time_value) as "Avg Response Time" BY MAS_value
| eval Avg Response Time=round('Avg Response Time',2)