设为首页收藏本站
开启辅助访问

Splunk SPL操作

 您所在的位置:网站首页 splunk搜索语法 Splunk SPL操作

Splunk SPL操作

2024-07-16 04:47| 来源: 网络整理| 查看: 265

head、tail、top、rare head:返回前 n 个结果tail:返回后 n 个结果top, 显示字段最常见/出现次数最多的值rare, 显示字段出现次数最少的值 sort:

• 基于某个字段排序(升序、降序) • sort - clientip, +status, 先基于 clientip 降序,再基于status升序 • index=tutorialdata sourcetype=“access_combined_wcookie”| table _time,clientip,status | sort -status,+clientip

stats(statistic):

• 对满足条件的事件进行统计 • stats count() • stats dc() • stats values() • stats list() • stats avg() • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | stats count • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | stats count(clientip) • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | stats dc(clientip)

chart

• 以表格的形式返回结果数据 • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | chart count by host | rename host as 服务器 count as "成功购 买数“ • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | chart count by host | chart avg(count) as "每台服务器平均数“ • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | chart count by host | chart max(count) as "最大购买量“ • 表格 • 图表

timechart

• 使用相应的统计信息表创建时间系列图表。 • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | timechart count by host 间隔时间2h: • index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | timechart span=2h count by host • 线形图 • 面积图

子搜索(subsearch)

• 子搜索包含在方括号[]中 • 查找购物次数最多的用户IP index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | top limit=1 clientip • 查看该客户购买的产品数量、产品种类以及哪些产品 index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase clientip=“87.194.216.51”| stats count,dc(productId),values(productId) by clientip • 通过子查询将两个查询语句合并为一个 index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase [search index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | top limit=1 clientip | table clientip] | stats count,dc(productId),values(productId) by clientip

保存为仪表板并打印PDF

• index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase [search index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase | top limit=1 clientip | table clientip] | stats count,dc(productId) as “totalproducts”,values(productId) as “productlist” by clientip | rename clientip as “VIP客户”,count as “产 品总数”,totalproducts as “产品种类”,productlist as “产品列表”



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3