如何在 Splunk 中合并两个统计数据?
How to merge two stats by in Splunk?
我想要一个图表来显示值。
一项搜索是
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
这给了我 table 作为
同样我还有一个搜索
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate
这给了我另一个 table 作为
我尝试使用 appendcols 将这两个结合起来,但是 X 轴只有 CW_Created 并且在错误的 CW 中显示第二个 table 细节。
我希望将 CW_Created 和 CW_Duedate 结合起来,并在单个 table 中提供结果,例如 CW、Open、Close、DueCount,而 DueCount 不适用于特定的 CW 填充它与0,其他人这样显示数据。
CW |Open |Close |DueCount
CW27 |7 |0 |0
CW28 |2 |0 |0
CW29 |0 |0 |4
CW30 |0 |7 |3
CW31 |0 |0 |1
CW32 |0 |0 |1
appendcols 命令使用起来有点棘手。来自主搜索和子搜索的事件在一对一的基础上配对,而不考虑任何字段值。这意味着事件 CW27 将与 CW29 匹配,CW28 与 CW30 匹配,依此类推。
改用追加命令。子搜索的结果会跟随主搜索的结果,但是可以使用一个stats命令来合并它们。
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| append [ index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate ]
| eval CW = coalesce(CW_Created, CW_DueDate)
| stats values(*) as * by CW
这可能就是您要找的
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| rename CW_Created as CW
| join type=outer CW
[| search index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate
| rename CW_DueDate as CW ]
或者可能是这样的:
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| eval CW=if(len(CW_Created)>1,CW_Created,CW_DueDate)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed, count(eval(open_field=1)) as DueOpen by CW
示例数据将使实质上更容易尝试帮助您
我想要一个图表来显示值。 一项搜索是
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
这给了我 table 作为
同样我还有一个搜索
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate
这给了我另一个 table 作为
我尝试使用 appendcols 将这两个结合起来,但是 X 轴只有 CW_Created 并且在错误的 CW 中显示第二个 table 细节。
我希望将 CW_Created 和 CW_Duedate 结合起来,并在单个 table 中提供结果,例如 CW、Open、Close、DueCount,而 DueCount 不适用于特定的 CW 填充它与0,其他人这样显示数据。
CW |Open |Close |DueCount
CW27 |7 |0 |0
CW28 |2 |0 |0
CW29 |0 |0 |4
CW30 |0 |7 |3
CW31 |0 |0 |1
CW32 |0 |0 |1
appendcols 命令使用起来有点棘手。来自主搜索和子搜索的事件在一对一的基础上配对,而不考虑任何字段值。这意味着事件 CW27 将与 CW29 匹配,CW28 与 CW30 匹配,依此类推。
改用追加命令。子搜索的结果会跟随主搜索的结果,但是可以使用一个stats命令来合并它们。
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| append [ index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate ]
| eval CW = coalesce(CW_Created, CW_DueDate)
| stats values(*) as * by CW
这可能就是您要找的
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| rename CW_Created as CW
| join type=outer CW
[| search index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate
| rename CW_DueDate as CW ]
或者可能是这样的:
index="cumu_open_csv" Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| eval CW=if(len(CW_Created)>1,CW_Created,CW_DueDate)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed, count(eval(open_field=1)) as DueOpen by CW
示例数据将使实质上更容易尝试帮助您