stackoom
  简体   繁体   中英

How do i optimize the following Splunk query?

 原文  2019-07-02 16:39:14       splunk/ splunk-query/ splunk-sdk/ splunk-formula

Question

I have results like below: 

 1. DateTime=2019-07-02T16:17:20,913 Thread=[],  Message=[Message(userId=124, timestamp=2019-07-02T16:17:10.859Z, notificationType=CREATE, userAccount=UserAccount(firstName=S, lastName=K, emailAddress=abc@xyz.com, status=ACTIVE), originalValues=OriginalValue(emailAddress=null)) Toggle : true]


 2. DateTime=2019-07-02T16:18:20,913 Thread=[],  Message=[Message(userId=124, timestamp=2019-07-02T16:17:10.859Z, notificationType=CREATE, userAccount=UserAccount(firstName=S, lastName=K, emailAddress=abc@xyz.com, status=ACTIVE), originalValues=OriginalValue(emailAddress=new@xyz.com)) Toggle : true]


 3. DateTime=2019-07-02T16:19:20,913 Thread=[],  Message=[Message(userId=124, timestamp=2019-07-02T16:17:10.859Z, notificationType=CREATE, userAccount=UserAccount(firstName=S, lastName=K, emailAddress=abc@xyz.com, status=ACTIVE), originalValues=OriginalValue(emailAddress=new@xyz.com)) Toggle : true]

And I am trying to group results where the contents of the entire "Message" field is same and "emailAddress=null" is not contained in the Message. 

So in the results above 2 and 3 should be the output.

The following query works fine for me but I need to optimize it further according to the following conditions:

Working Query : index=app sourcetype=appname host=appname* splunk_server_group=us-east-2 | fields Message | search Message= "[Message*" | regex _raw!="emailAddress=null" | stats count(Message) as count by Message | where count > 1 index=app sourcetype=appname host=appname* splunk_server_group=us-east-2 | fields Message | search Message= "[Message*" | regex _raw!="emailAddress=null" | stats count(Message) as count by Message | where count > 1

Conditions to optimize

  • Cannot rex against raw
  • Message key/value pair needs to be in the main search, not a sub-search

1 answers

solution1
 0  2019-07-02 17:48:27

You don't have any subsearches in your current query. A subsearch is a query surrounded by square brackets.

What's wrong with rex against _raw?

Try this: 

index=app sourcetype=appname host=appname* splunk_server_group=us-east-2 Message="[Message*" 
| fields Message 
| regex Message!="emailAddress=null" 
| stats count(Message) as count by Message | where count > 1

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I evade the limit of 100 entries in python splunk query How do I create a Splunk query for unused event types? How do I added a token to the query of a dashboard in Splunk? have a join query which i need to optimize using OR and Stats, i am new to splunk and i am confused how to start How to do compound query with where clause in Splunk? how do I parse a JSON file to SPLUNK? How do I escape values in Splunk? Splunk - How do I make a clickable hyperlink How do i query splunk for latest and earliest time based on epoch time rather than human readable time? How to use/do where in column of a lookup in Splunk Search Query
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM