对 100 毫秒内发生的事件进行分组和计数

问题描述 投票:0回答:1

我有以下数据。如果事件在 100 毫秒内发生,并且它们通过相同的哈希码和相同的thirdPartyId 匹配,我想返回表数据。因此,本质上,搜索必须按 ThirdPartyId 和 hashcode 的每个组合进行排序,然后逐行比较事件以查看前一行和当前行是否在 100 毫秒内发生。查询应该是什么样的?

| makeresults format=csv data="startTS,thirdPartyId,hashCode,accountNumber 2024-04-16 21:53:02.455-04:00,AAAAAAAA,00000001,11111111 2024-04-16 21:53:02.550-04:00,AAAAAAAA,00000001,11112222 2024-04-16 21:53:02.650-04:00,BBBBBBBB,00001230,22222222 2024-04-16 21:53:02.650-04:00,CCCCCCCC,00000002,12121212 2024-04-16 21:53:02.730-04:00,DDDDDDDD,00000005,33333333 2024-04-16 21:53:02.830-04:00,DDDDDDDD,00000005,33334444 2024-04-16 21:53:02.670-04:00,BBBBBBBB,00000002,12121212 2024-04-16 21:53:02.700-04:00,CCCCCCCC,00000002,21212121" |按startTS、thirdPartyId排序

| makeresults format=csv data="startTS,thirdPartyId,hashCode,accountNumber 2024-04-16 21:53:02.455-04:00,AAAAAAAA,00000001,11111111 2024-04-16 21:53:02.550-04:00,AAAAAAAA,00000001,11112222 2024-04-16 21:53:02.650-04:00,BBBBBBBB,00001230,22222222 2024-04-16 21:53:02.650-04:00,CCCCCCCC,00000002,12121212 2024-04-16 21:53:02.670-04:00,CCCCCCCC,00000002,12121212 2024-04-16 21:53:02.900-04:00,CCCCCCCC,00000002,21212121 2024-04-16 21:53:02.730-04:00,DDDDDDDD,00000005,33333333 2024-04-16 21:53:02.930-04:00,DDDDDDDD,00000005,33334444" |排序时间 | bin_时间跨度=100ms |按thirdPartyId、hashCode 统计计数 |其中计数 >=2

search splunk splunk-query
1个回答
0
投票

尝试:

| makeresults format=csv data="startTS,thirdPartyId,hashCode,accountNumber
2024-04-16 21:53:02.455-04:00,AAAAAAAA,00000001,11111111 
2024-04-16 21:53:02.550-04:00,AAAAAAAA,00000001,11112222 
2024-04-16 21:53:02.650-04:00,BBBBBBBB,00001230,22222222 
2024-04-16 21:53:02.650-04:00,CCCCCCCC,00000002,12121212 
2024-04-16 21:53:02.670-04:00,CCCCCCCC,00000002,12121212 
2024-04-16 21:53:02.900-04:00,CCCCCCCC,00000002,21212121 
2024-04-16 21:53:02.730-04:00,DDDDDDDD,00000005,33333333 
2024-04-16 21:53:02.930-04:00,DDDDDDDD,00000005,33334444"
| eval startTS=strptime('startTS',"%F %H:%M:%S.%3N%:z")
| sort hashCode thirdPartyId startTS
| streamstats window=1 current=false list(startTS) AS prevTS BY hashCode thirdPartyId
| eval 
    timeDifference=startTS-prevTS,
    prevEventWI100ms=if(timeDifference<=0.1,1,0)

说明:

  • | eval ... strptime()
    将时间转换为UNIX时间,以便可以计算时间戳; 多库
  • | sort
    根据您提供的标准
  • | streamstats
    以相同的条件为您获取上一个事件的时间; 多库
  • | eval
    将差异计算到 
    timeDifference
    ,然后将其与 100ms 进行比较,并创建布尔值到 
    prevEventWI100ms
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.