splunk-query

问题 As part of my requirements, I have to calculate the duration between two different logs using Splunk query. For example: Log 2: 2020-04-22 13:12 ADD request received ID : 123 Log 1 : 2020-04-22 12:12 REMOVE request received ID : 122 The common String between two logs is " request received ID :" and unique strings between two logs are "ADD", "REMOVE". And the expected output duration is 1 hour. Any help would be appreciated. Thanks 回答1: You can use the transaction command, https://docs.splunk

问题 As part of my requirements, I have to calculate the duration between two different logs using Splunk query. For example: Log 2: 2020-04-22 13:12 ADD request received ID : 123 Log 1 : 2020-04-22 12:12 REMOVE request received ID : 122 The common String between two logs is " request received ID :" and unique strings between two logs are "ADD", "REMOVE". And the expected output duration is 1 hour. Any help would be appreciated. Thanks 回答1: You can use the transaction command, https://docs.splunk

来源： https://stackoverflow.com/questions/63689944/group-events-by-multiple-fields-in-splunk

问题 I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count. I tried below query but didn't get any success. It is always giving me 0. sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as