如何在Splunk中合并两个统计信息？

debugcn 发表于 Dev

哈里·普里亚（Hari Priya）

我想要一个图来显示值。一种搜索是

index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created

这给了我一张桌子

同样，我还有另一个搜索

 index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate

这给了我另一张桌子

我尝试使用appendcols组合这两个方法，但是X轴只有CW_Created并以错误的CW显示第二个表格详细信息。

我希望将CW_Created和CW_Duedate组合在一起，并在单个表（例如CW，Open，Close，DueCount）中提供结果，而对于特定的CW，DueCount不在其中，则用0填充它，而其他人则显示数据。

CW      |Open     |Close    |DueCount
CW27    |7        |0        |0
CW28    |2        |0        |0
CW29    |0        |0        |4
CW30    |0        |7        |3
CW31    |0        |0        |1
CW32    |0        |0        |1

富贵

appendcols命令使用起来有些棘手。来自主搜索和子搜索的事件是一对一地配对的，而不考虑任何字段值。这意味着事件CW27将与CW29相匹配，事件CW28将与CW30相匹配，依此类推。

请尝试添加命令。子搜索的结果将跟随主搜索的结果，但是stats命令可用于合并它们。

index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS closed by CW_Created
| append [ index="cumu_open_csv"  Assignee="ram"
| eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0)
| stats count(eval(open_field=1)) As DueOpen by CW_DueDate ]
| eval CW = coalesce(CW_Created, CW_DueDate)
| stats values(*) as * by CW

本文收集自互联网，转载请注明来源。

如有侵权，请联系[email protected] 删除。