![]() It discusses the command timechart in detail and provides various examples. At the end of this chapter, you will have a thorough knowledge of using stats, chart and eval.Ĭhapter 3, Using Time Related Operations, reveals how you can generate insightful results from your machine-generated data using time. This chapter then dives into another useful command eval and discusses its most useful functions. It explains the all-powerful stats command with plenty of examples. At the end of this chapter, you will have written your first SPL query yourself.Ĭhapter 2, Calculating Statistics, dives right into calculating statistics, an important function of SPL. This chapter also walks you through the Splunk search interface. It then introduces Search Processing Language (SPL) along with its syntax and usage. It discusses the architecture of the platform at a high level. This is why I’ve dedicated a chapter for stats command alone.Ĭhapter 1, Introducing the Splunk platform, introduces the Splunk platform and the problems it solves. Just by mastering eval and stats, you can pretty much solve 90% of the problems. For example, while SPL has more than 140 commands, you’ve probably only used the following commands more often than not: The key to mastering SPL is to focus on a handful of commands and fully mastering them. I know that SPL can be intimidating for a new user (heck, even for an experienced user, it can be intimidating). For a user, learning SPL is the key to getting the most out of the Splunk platform. I’ve not found a single book that focuses solely on teaching SPL (Search Processing Language). While there are many Splunk books in the market today, almost all of them try to combine several aspects of Splunk into one book. | table ul-ctx-head-span-id thod ul-log-data.I’m super excited to announce that my new book Practical Splunk Search Processing Language has been published. | table ul-ctx-head-span-id thod ul-log-data.function ul-span-duration ![]() | eval ul-log-data.function = mvindex(split(func_dur, "|"), 0), ul-span-duration = mvindex(split(func_dur, "|"), 1) | stats values(thod) as thod values(func_dur) as func_dur by ul-ctx-head-span-id | eval func_dur = 'ul-log-data.function'. Try that and see if you get the results you're looking for.Įdit: Another way to accomplish this: (index=cosv2 ul-ctx-source=c4rupgrd ( ("ul-ctx-caller-span-id"=null) OR ("ul-ctx-caller-span-id"!=null "thod"="*") ) ![]() | table _time ul-ctx-head-span-id http_url function ul-span-duration The easiest way to do this would be to use a join command: index=cosv2 ul-ctx-source=c4rupgrd "ul-ctx-caller-span-id"!=null "ul-log-data.function"="GetRemainingAsync" OR "ul-log-data.http_url"=" | join ul-ctx-head-span-id ![]() ![]() It means if I get 4 row data in first search, then after join, I need show 8 row dataįorgive my poor English, can someone help on this? Please note: the second search depends on the field "ul-ctx-head-span-id" in the result of first search.įinally, I want get a table like below: ul-ctx-head-span-id | thod | ul-log-data.function|ul-span-duration With the field "ul-ctx-head-span-id", second search will return 2 row data with different ul-log-data.function, ul-span-duration, so the table will be: ul-ctx-head-span-id | ul-log-data.function|ul-span-duration With this search, I can get several row data with different methods in the field thod, so the table will be: ul-ctx-head-span-id | thod First search: index=A "ul-ctx-caller-span-id"=null ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |