如何在 Splunk Enterprise 的搜索字符串中使用 where 子句
[英]How to use where clause in my search string in Splunk Enterprise
问题描述
I have a search string like below:
我有一个如下的搜索字符串:
index=qrp STAGE IN (ORDER_EVENT) |索引=qrp 进入 (ORDER_EVENT) | bucket _time span=1h |桶_时间跨度=1h | timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE | fillnull value=0填充空值=0
And this is currently giving me aggregates of trades for multiple source systems from the stage table Trade event in a tabular format for every hour of the day.目前,这为我提供了来自舞台表交易事件的多个源系统的交易汇总,以表格格式在一天中的每个小时进行。
I need to search exactly for the time frame 8am every day, whether the value of sun of trade for all source systems in the table is equal to zero.我需要准确搜索每天早上 8 点的时间范围,表中所有源系统的交易太阳值是否等于零。 How to add the condition to check the column value is Zero or not?如何添加条件以检查列值是否为零?
Your help is much appreciated.非常感谢您的帮助。
1 个解决方案
解决方案1
0 2020-08-09 20:37:08
You can use the where command to test the value of a field.您可以使用where命令来测试字段的值。
... | where TradeCount == 0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.