Splunk Notes

source="c:\logs\abc.log" 
| rex field=url "(?<=\/)(?<ApiId>\w+?)(?=$|\?)"
| search url != "*/swagger/"
| spath output=timeSpent path=durationInMs
| spath output=status path=data.statusCode
| evel error = if(status != 200, 1, 0)
| stats count as total, avg(timeSpent) as avgTimeSpent, sum(error) as errCount by ApiId
| eval errorRate = round(100 * errCount / total, 2), avgTimeSpent= round(avgSpentTime, 2)
| sort total desc

标签：status,spath,Splunk,笔记,timeSpent,简单,avgTimeSpent,total
来源： https://www.cnblogs.com/swlin/p/10748769.html