时间戳

首页 > 解决方案 > Splunk如何使用where子句进行复合查询?

splunk - Splunk如何使用where子句进行复合查询?

问题描述

我有以下数据作为示例:

我想找到所有位置温度高于阈值的事件,有时说 80F。

Temperature=82.4, Location=xxx.165.152.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=84.2, Location=xxx.165.152.48, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.154.21, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.162.22, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.164.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.2, Location=xxx.165.170.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.208.12, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=73.4, Location=xxx.165.224.20, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.3, Location=xxx.165.52.13, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=77.9, Location=xxx.165.52.14, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=76.3, Location=xxx.165.54.24, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=83.8, Location=xxx.165.48.20, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=73.8, Location=xxx.165.36.21, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor

我可能首先找到温度高于阈值的位置子集,如下所示:

| Temperature > 80
| fields Location
| dedup Location

我将查询的位置结果称为“hot_locations”,

然后我想执行我的最终查询:

| Location IN hot_locations

我的问题是 Splunk 查询语言表达规范的语法是什么?也就是说,如何表达嵌入的查询并使用它的值来执行最终的查询。

在伪代码中,它可能如下所示:

| let hot_locations = {| Temperature > 80
| fields Location
| dedup Location}
| Location IN hot_locations

它的正确表达方式是什么?

如果有帮助,我需要仪表板中的逻辑,我想我可以使用输入面板的变量来表达 hot_locations 的值。

标签: splunksplunk-query

解决方案

Splunk 没有标记查询结果的能力。但是,您可以使用子搜索进行等效操作。

index=foo [ search index=bar Temperature > 80 | fields Location | format ]

推荐阅读