Sumologic 和搜索查询中的两个聚合
Posted
技术标签:
【中文标题】Sumologic 和搜索查询中的两个聚合【英文标题】:Sumologic sum two aggregates in search query 【发布时间】:2021-02-15 13:17:37 【问题描述】:我想要实现的是将两个聚合字段 sum(DiscoverCountOld) 的总和显示为 VisitsDiscoveredOld 和 sum(DiscoverCount) 作为 VisitsDiscovered 作为新列而不是这两个字段
_source="src" and _collector="collector"
| parse regex "Finished cataloging (?<DiscoverCountOld>\d+) visits for state " nodrop
| parse regex "Finished cataloging visits: Visit count: (?<DiscoverCount>\d+)" nodrop
| parse regex "Finished submitting (?<SubmitCount>\d+) visits for state CO" nodrop
| parse regex "Finished updating status for (?<UpdateCount>\d+) visits for state CO"
| fields DiscoverCountOld,DiscoverCount,SubmitCount,UpdateCount
| timeslice 1d
| sum(DiscoverCountOld) as VisitsDiscoveredOld,sum(DiscoverCount) as VisitsDiscovered, sum(SubmitCount) as VisitsSubmitted, sum(UpdateCount) as VisitsUpdated group by _timeslice
| fillmissing timeslice(1d)
| sort by _timeslice asc
【问题讨论】:
【参考方案1】:这是找到的答案:
_source="_source" and _collector="-collector"
| parse regex "Finished cataloging (?<DiscoverCountOld>\d+) visits for state " nodrop
| parse regex "Finished cataloging visits: Visit count: (?<DiscoverCount>\d+)" nodrop
| parse regex "Finished submitting (?<SubmitCount>\d+) visits for state CO" nodrop
| parse regex "Finished updating status for (?<UpdateCount>\d+) visits for state CO"
| timeslice 1d
| sum(DiscoverCountOld) as VisitsDiscoveredOld,sum(DiscoverCount) as VisitsDiscoveredNew, sum(SubmitCount) as VisitsSubmitted, sum(UpdateCount) as VisitsUpdated group by _timeslice
| VisitsDiscoveredOld+VisitsDiscoveredNew as VisitsDiscovered
| fields _timeslice,VisitsDiscovered,VisitsSubmitted,VisitsUpdated
| fillmissing timeslice(1d)
| sort by _timeslice asc
【讨论】:
以上是关于Sumologic 和搜索查询中的两个聚合的主要内容,如果未能解决你的问题,请参考以下文章
如何使用 sumologic 自定义 cron 搜索来安排每 10 分钟一次的搜索