SPL timechart

最新推荐文章于 2022-03-03 08:00:00 发布

丁佑强

最新推荐文章于 2022-03-03 08:00:00 发布

阅读量681

点赞数

分类专栏： splunk 文章标签： splunk

本文链接：https://blog.csdn.net/qq_42938493/article/details/122334327

版权

splunk 专栏收录该内容

9 篇文章 1 订阅

订阅专栏

timechart

从https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Systemrequirements这里下载Prices.csv.zip和tutorialdata.zip ，然后索引进main索引就可以了。而prices.csv解压后创建一个prices.csv的lookup表
搜索购买purchase的事件，然后通过查找表去获取关联的字段。

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price

timechart命令就是将统计聚合应用于某个字段生成图表。
假如只设置为4天前，计算出售了多少商品。它本身有时间函数per_day(),per_hour(),per_minute(),per_second() 。时间桶选项可以设置桶的大小

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price

每周一，时间设置为4周前

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=w@w1 sum(sale_price) as total_sale_price

有个默认时间跨度。15分钟为10秒，60分钟为1分钟，4小时为5分钟等等，最好还是指定下span等于多少，不然按这个默认的算。
另外的span选项叫做minspan，minspan有临界值。下面时间设置为4天前，输入minspan35分钟超过30分钟临界值，时间桶就装成了1小时的数据

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart minspan=35m sum(sale_price) as total_sale_price

在这里插入图片描述

bins选项

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart bins=10 sum(sale_price) as total_sale_price

aligntime选项

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=12h aligntime=earliest sum(sale_price) as total_sale_price

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=12h aligntime=@d+5h sum(sale_price) as total_sale_price

eval表达式

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h eval(round(sum(sale_price),1)) as total_sale_price

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart per_day(eval(method="GET")) as number_of_views , per_day(eval(action="purchase")) as number_of_purchase

by ，尝试通过产品名来分开汇总

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by product_name

在这里插入图片描述

上面可以看到最后有个Other字段，默认是展示top 10个分类，最后一个为Other。

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by product_name otherstr="All Other Products"

在这里插入图片描述

如果不要Other这一列

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by product_name  useother=f

limit=0 展示所有的分类，慎用

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart limit=0 span=1h sum(sale_price) as total_sale_price by product_name  useother=f

有时候splunk会出现名字为null的列，比如VendorID没有关联到sale_price，就会变为null列

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by VendorID

在这里插入图片描述

如果启用了 usenull=f ，他就不会显示这个null列。或者你想给Null列一个名字

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by VendorID usenull=f

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by VendorID nullstr="No Product Available"

where 分句一般用来过滤事件

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by product_name where sum in top2

index=main action="purchase" 
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price) as total_sale_price by product_name where sum in bottom2

timechart中一些时间段没有数据，如果不需要，则使用cont=f参数
fixedrange=f 只会有数据的字段显示出来
假如有两个统计的项

index=main  
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart span=1h sum(sale_price)  as total_sale_price , max(price) as max_price   by product_name

在这里插入图片描述

上面的字段通过冒号：来分隔。可以修改为. 点，或者format

index=main  
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart sep="." span=1h sum(sale_price)  as total_sale_price , max(price) as max_price   by product_name

index=main  
| lookup prices.csv productId as productId outputnew product_name,sale_price
| timechart format=$AGG$_$VAL$ span=1h sum(sale_price)  as total_sale_price , max(price) as max_price   by product_name

丁佑强

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
SPL timechart

timechart从https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Systemrequirements这里下载Prices.csv.zip和tutorialdata.zip ，然后索引进main索引就可以了。而prices.csv解压后创建一个prices.csv的lookup表搜索购买purchase的事件，然后通过查找表去获取关联的字段。index=main action="purchase" | loo
复制链接

扫一扫