使用 AWS CloudWatch Insights 分析一些日志文件,我可以绘制在时间箱中聚合的计数:
| stats count(*) by bin(1h)
正如预期的那样,这会生成一个图表,聚合每个时间箱中的所有日志。
我想用值 A 和 B 的“组”字段分割这些数据。
| stats count(*) by group, bin(1h)
这会按预期返回跨时间段的日志计数,但可视化选项卡显示“没有可视化可用”。我希望它返回一个时间序列图,其中包含 A 组系列和 B 组系列。
我哪里错了,或者这根本不可能?
好吧,我找到了一个非常笨拙的方法来解决这个问题。看来不,你不能做
| stats count(*) by group, bin(1h)
但是,您可以使用 parse 人为地创建新变量,如下所示:
parse "[E*]" as @error
| parse "[I*]" as @info
| parse "[W*]" as @warning
| filter ispresent(@warning) or ispresent(@error) or ispresent(@info)
| stats count(@error) as error, count(@info) as info, count(@warning) as warning by bin(15m)
在这里,我试图查看日志类型随时间的分布。我有三种格式的日志消息:“[ERROR]”、“[INFO]”和“[WARNING]”
扩展@smth 的样本,我通常会做一些不同的事情,
使用此查询,我可以在标准 nginx 访问日志上跟踪状态代码随时间聚合的趋势
fields @timestamp, @message
| parse @message '* - * [*] "* * *" * * "-" "*"' as host, identity, dateTimeString, httpVerb, url, protocol, status, bytes, useragent
| stats count (*) as all, sum ( status < 299 ) as c_s200, sum ( status > 299 and status < 399 ) as c_s300, sum ( status > 399 and status < 499 ) as c_s400, sum ( status > 499 ) as c_s500 by bin (1m)
诀窍是,像“status > 499”这样的表达式如果为假则返回 0,如果为真则返回 1,因此,将其添加到时间桶中允许模拟类似“count if [condition]”之类的东西
示例生成的图表在可视化选项卡上的外观也是如此。
There is also an extension to the workaround described by @smth that can support more complicated statistics than count(). Here's an example that graphs the CPU usage across different instances over time:
| fields (instance_id like "i-instance_1") as is_instance_1, (instance_id like "i-instance_2") as is_instance_2
| stats sum(cpu * is_instance_1) as cpu_1, sum(cpu * is_instance_2) as cpu_2 by bin(5m)
这是基于@smth 等人的答案的另一种变体。无法根据值自动构建图表非常烦人,因此您需要明确提及每个值。
fields @timestamp, @message
| filter namespace like "audit-log"
| fields coalesce(`audit.client-version`, "legacy") as version
| parse version "legacy" as v0
| parse version "886ac066*" as v1
| parse version "93e021e2*" as v2
| stats count(*), count(v0), count(v1), count(v2) by bin(5m)
结果:
