Splunk 简明教程
Splunk - Subsearching
子搜索是常规搜索的一个特例,其中次要或内部查询的结果是主键或外部查询的输入。它类似于 SQL 语言中的子查询概念。在 Splunk 中,主键查询应返回一个结果,该结果可以作为外部或次要查询的输入。
Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query. It is similar to the concept of subquery in case of SQL language. In Splunk, the primary query should return one result which can be input to the outer or the secondary query.
当一个搜索包含一个子搜索时,将会首先运行子搜索。子搜索必须用中括号括起来。
When a search contains a subsearch, the subsearch is run first. Subsearches must be enclosed in square brackets in the primary search.
Example
我们考虑在 Web 日志中查找具有最大字节大小的文件的情况。但它可能每天都改变。然后,我们只希望查找文件大小等于最大大小并且是星期天的事件。
We consider the case of finding a file from web log which has maximum byte size. But that may vary every day. Then we want to find only those events where the file size is equal to the maximum size, and is a Sunday.
Create the Subsearch
我们首先创建子搜索来查找最大文件大小。我们使用函数 Stat max ,并以名为“bytes”的字段作为参数。这将找出在搜索查询运行的时间范围内文件的最大大小。
We first create the subsearch to find the maximum file size. We use the function Stat max with the field named bytes as the argument. This identifies the maximum size of the file for the time frame for which the search query is run.
下面的图像显示了搜索和此子搜索的结果−
The below image shows the search and the result of this subsearch −
Adding the Subsearch
接下来,通过将子搜索放在中括号内,我们将子搜索查询添加到主键或外部查询中。搜索子句还添加到子搜索查询中。
Next, we add the subsearch query to the primary or the outer query by putting the subsearch inside square brackets. Also the search clause is added to the subsearch query.
如我们所见,结果仅包括文件大小等于通过考虑所有事件找到的最大文件大小且事件日期为星期的事件。
As we see, the result contains only the events where the file size is equal to the max file size found by considering all the events, and the event day is a Sunday.