Splunk Notes

使用rex提取字段

source="c:\logs\abc.log"

| rex field=url "(?<=\/)(?<ApiId>\w+?)(?=$|\?)"

| search url != "*/swagger/"

| spath output=timeSpent path=durationInMs

| spath output=status path=data.statusCode

| evel error = if(status != 200, 1, 0)

| stats count as total, avg(timeSpent) as avgTimeSpent, sum(error) as errCount by ApiId

| eval errorRate = round(100 * errCount / total, 2), avgTimeSpent= round(avgSpentTime, 2)

| sort total desc

用rex匹配出JSON数据，使用spath提取字段

sourcetype=webapi_service

| rex "^(?:[^\{]*)(?P<data>.+)"

|spath input=data output=statusCode path=responseHeader.statsuCode

|spath input=data output=responseId path=responseHeader.responseId

|table responseId, statusCode