【发布时间】:2021-10-02 00:03:20
【问题描述】:
我有一些来自 Splunk 日志的数据,我需要确定在任何单个事件发生时同时运行的其他请求。
使用以下查询,我能够让它返回一个列,其中包含在我的开始时间和持续时间内同时运行的请求数。
index="sfdc" source="sfdc_event_log://EventLog_SFDC_Production_eventlog_hourly" EVENT_TYPE IN (API, RestAPI) RUN_TIME>20000
| eval endTime=_time
| eval permitTimeInSecs=(RUN_TIME-20000)/1000
| eval permitAcquiredTime=endTime-permitTimeInSecs
| eval dbTotalTime=DB_TOTAL_TIME/1000000
| concurrency start=permitAcquiredTime duration=permitTimeInSecs
| table _time API_TYPE EVENT_TYPE ENTITY_NAME apimethod concurrency permitAcquiredTime permitTimeInSecs RUN_TIME CPU_TIME dbtotalTime REQUEST_ID USER_ID
| fieldformat dbTotalTime=round(dbTotalTime,0)
| rename permitAcquiredTime as "Start Time", permitTimeInSecs as "Concurrency Duration", concurrency as "Concurrent Running Events", API_TYPE as "API Type", EVENT_TYPE as "Event Type", ENTITY_NAME as "Entity Name", apimethod as "API Method", RUN_TIME as "Run Time", CPU_TIME as "CPU Time", dbtotalTime as "DB Total Time", REQUEST_ID as "Request ID", USER_ID as "User ID"
| sort "Concurrent Running Events" desc
我现在正在尝试调查这些结果中的单个事件。例如,top 事件表示在它运行时,在 20 秒的时间窗口内运行了 108 个并发请求。
如何使用这些数据识别这 108 个事件?
我想它会查询具有特定时间范围的事件,但我不确定是否需要检查 _time + - 10 seconds 之类的内容以查看 20 秒窗口内运行的内容?
对于这个顶级示例,只需稍微了解一下108 events 背后的数据。我的最终目标是能够向仪表板添加向下钻取,以便当我单击 108 时,我可以看到正在运行的那些事件。
【问题讨论】:
标签: splunk splunk-query splunk-calculation