splunk 记一次复杂的数据处理
使用splunk统计json结果时,发现json字段能抽取但无法切分,如下
看似多行内容,实际只能按多行查询,导致结果不准确
数据处理SPL语句
index="hongliu" */thirdparty/portal/user/company/relation/list
| spath input=ResponseBody
| rename content.items{}.companyId as companyId,content.items{}.userEmail as out-userEmail,content.items{}.userName as userName
| eval temp=mvzip(mvzip('userName','out-userEmail',"#"),'companyId',"#")
| mvexpand temp
| eval temp1=split(temp,"#")
| eval userName=mvindex(temp1,0)
| eval out-userEmail=mvindex(temp1,1)
| eval companyId=mvindex(temp1,2)
| dedup userName,out-userEmail,companyId
| table userName,out-userEmail,companyId
效果图如下
评论
热度(1)
© 走过岁月...... | Powered by LOFTER