站长资讯网Here is offical document:https://docs.splunk.com/Documentation/SplunkCloud/7.0.2/Search/GetstartedwithSearch
| inputlookup all_w
| search slavename="MAC-BUILD-GIT*"
| join type=outer slavename
[ search index="acadci_mp_prod" category=taskEnded slavename=*
| stats count by slavename
]
| eval count=if(isnull(count), "0", count)
| sort -count
上面这个SPL类似于SQL的全连接, type=outer
inputlookup lookup_table_name: 相当于 select * from lookup_table_name
| search slavename="MAC-BUILD-GIT*" 相当于 where slavename ="MAC-BUILD-GIT*"
[ search index="acadci_mp_prod" category=taskEnded slavename=*
| stats count by slavename
]
是个子查询
eval可以对现有的field计算 变形等 生成新的filed
sort 用来排序
Note: type= inner left outer 官方说left 与outer是一样的 , 但实际并不一样. default是left.
LOOKUP使用的时候需要某个field名与要查询的表相同.
