Splunk 查询示例

rangmap使用

index= aliyun sourcetype=ali_formatted_cdn (message.reqPath="/merch/products/v2*" OR message.reqPath="/merch/skus/v2*" OR message.reqPath="/merch/value_added_services/v1*" OR message.reqPath="/merch/contents/v1*" OR message.reqPath="/merch/prices/v2*" ) NOT message.reqPath="*batch*"

| replace /merch/products/v2* with merchproductsv2 in message.reqPath

| replace /merch/skus/v2* with merchskusv2 in message.reqPath

| replace /merch/value_added_services/v1* with vasv1 in message.reqPath

| replace /merch/contents/v1* with productcontentservice in message.reqPath

| replace /merch/prices/v2* with merchpricesv2 in message.reqPath

| stats count BY netPerf.downloadTime 

| rangemap field=netPerf.downloadTime  0-2s=0-2000 2-5s=2001-5000 5-10s=5001-10000 10-30s=10001-30000 30-60s=30001-60000 default=60s+

| stats sum(count) by range

 

嵌套查询：

index=app app=xx [search index=app app=xx traceId=xx | top limit=10| table traceId] 

 

正则表达：

index=app app=servicemonitor host="catalog-prod-catalog_servicemonitorv1-.ip-100-64-134-134-cn-northwest-1a" app:MERCH-VALUE_ADDED_SERVICES-V1 instanceId:i-0ebd2cd66d8584cb4

| rex field=_raw ", asg:(?<asgn>[\\w-]*),"

| rex field=_raw ", instanceId:(?<in>[\\w-]*)"

| table in asgn

| stats count by in asgn

 

 

index=app app=servicemonitor (error OR failed OR failure)

| rex field=_raw " method:(?<mname>[a-zA-Z0-9]*), "

| rex field=_raw " app:(?<appname>[a-zA-Z0-9_-]*), "

| stats count by mname appname

 

 

替换操作：

index= aliyun sourcetype=ali_formatted_cdn (message.reqPath="/merch/*" NOT message.reqPath="*batch*")

| replace /merch/products/v* with merchproducts in message.reqPath

| replace /merch/skus/v* with merchskusv2 in message.reqPath

| replace /merch/value_added_services/v* with vasv1 in message.reqPath

| replace /merch/contents/v* with productcontentservice in message.reqPath

| replace /merch/prices/v* with merchpricesv2 in message.reqPath

| stats avg(netPerf.downloadTime) as avgDownloadTime,p95(netPerf.downloadTime) as p95DownloadTime,max(netPerf.downloadTime) as maxDownloadTime by message.reqPath

| eval avgDownloadTime=avgDownloadTime/1000, p95DownloadTime=p95DownloadTime/1000, maxDownloadTime=maxDownloadTime/1000

 

index=akamai message.reqHost=api.xx.com geo.country=CN

| fields message.reqPath

| rex mode=sed field=message.reqPath "s/%2f/\//g"

| rex mode=sed field=message.reqPath "s/[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}/{uuid}/g"

| search message.reqPath="/product_feed/*"

| stats count by message.reqPath

 

统计YN比率

index= aliyun sourcetype=ali_formatted_cdn message.reqPath ="/xxx/contents*"

| eval gt1s=if('netPerf.downloadTime'>1000, "Y", "N")

| stats count by gt1s

 

index= aliyun sourcetype=ali_formatted_cdn ( message.reqPath="/xx/contents*") 

| eval hit=if(like('netPerf.cacheStatus', "HIT%"), "Y", "N")

| stats count by hit

 

统计区间event数量最大值：

index=web source="/var/log/xx/productcontent/access.log"  | bin span=1s _time  | top 1 _time

 

index=aliyun sourcetype=ali_formatted_cdn  message.reqPath="/merch/contents*" | bin span=1s _time  | top 1 _time