因为spl查询结果非常灵活,为了便于api调用者进行针对性的处理,将结果类型分为”query”, “stats”, “transaction“三类。
type为”queyr”,此类表明:
| 举例如请求query=”* | eval app=appname | eval rawlen=len(raw_message)”。 |
{
"rows": [{
"passlogszlogtype.logclass": "crdauxtrans.paas.cmbchina.cn",
"passlogszlogtype.logsource": "loggregator",
"appname": "paaslogsz",
"passlogszlogtype.uuid": "cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"timestamp": 1454312663585,
"hostname": "paassyslog01sz-0",
"tag": ["paas2.log", "paaslogs_sz_test"],
"passlogszlogtype.logtimestamp": "06/01/2016:09:26:24 0000",
"passlogszlogtype.method": "post",
"passlogszlogtype.firsttimestamp": "jan 6 09:26:24",
"passlogszlogtype.url": "/authfail?smscustno=0000000128206230&begindate=20160106&enddate=20160106&start=1&limit=8",
"passlogszlogtype.httpversion": "http/1.1",
"passlogszlogtype.httpstatus": "200",
"passlogszlogtype.httpresplen": "54",
"passlogszlogtype.loguuidtype": "rtr"
}],
"fields": [
{
"type": "unkown",
"name": "passlogszlogtype.httpversion"
},
{
"type": "unkown",
"name": "passlogszlogtype.method"
},
{
"type": "unkown",
"name": "passlogszlogtype.uuid"
},
{
"type": "unkown",
"name": "tag"
},
{
"type": "unkown",
"name": "passlogszlogtype.logsource"
},
{
"type": "unkown",
"name": "hostname"
},
{
"type": "unkown",
"name": "passlogszlogtype.httpresplen"
},
{
"type": "unkown",
"name": "passlogszlogtype.httpstatus"
},
{
"type": "unkown",
"name": "timestamp"
},
{
"type": "unkown",
"name": "passlogszlogtype.loguuidtype"
},
{
"type": "unkown",
"name": "passlogszlogtype.logtimestamp"
},
{
"type": "unkown",
"name": "appname"
},
{
"type": "unkown",
"name": "passlogszlogtype.logclass"
},
{
"type": "unkown",
"name": "passlogszlogtype.firsttimestamp"
},
{
"type": "unkown",
"name": "passlogszlogtype.url"
}],
"result": true,
"total": 311184,
"page": 0,
"size": 20
}| type=”stats”,此类表明返回结果是一次统计计算的结果,是比较简单的表格返回形式。比如当query=”eval rawlen=len(raw_message) | stats avg(rawlen) as arl by hostname | sort by arl” |
{
"rows": [
{
"hostname": "paassyslog01sz-0",
"arl": 11
}],
"fields": [
{
"type": "unkown",
"name": "hostname"
},
{
"type": "double",
"name": "arl"
}],
"total": 1,
"type": "stats",
"result": true
}type=”transaction”,此类表明返回结果是一次transaction聚合操作的结果。
source字段中。source字段是一个数组,数组的每个元素是原始事件的展开形式。_count字段代表这一行的原始事件有多少条。_duration字段代表原始事件的时间跨度。max_timestamp, min_timestamp两个辅助字段代表原始事件的起止时间。其差等于_duration的值。| 举例如query=”* | transaction hostname maxopenevents=100 maxevents=2” |
{
"rows": [{
"_count": 10,
"max_timestamp": 1454309220904,
"hostname": "paassyslog01sz-0",
"min_timestamp": 1454309220792,
"source": [
{
"passlogszlogtype.logclass": "crdauxtrans.paas.cmbchina.cn",
"passlogszlogtype.message": "\"-\" \"jakarta commons-httpclient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logsource": "loggregator",
"appname": "paaslogsz",
"passlogszlogtype.uuid": "cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"timestamp": 1454309220792,
"hostname": "paassyslog01sz-0",
"tag": ["paas2.log", "paaslogs_sz_test"],
"raw_message": "jan 6 09:26:24 loggregator cf1416b1-8e9c-42ac-96fc-8b88e58f8a94[[rtr]] crdauxtrans.paas.cmbchina.cn - [06/01/2016:09:26:24 0000] \"post /authfail?smscustno=0000000128206230&begindate=20160106&enddate=20160106&start=1&limit=8 http/1.1\" 200 54 \"-\" \"jakarta commons-httpclient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logtimestamp": "06/01/2016:09:26:24 0000",
"passlogszlogtype.method": "post",
"passlogszlogtype.firsttimestamp": "jan 6 09:26:24",
"passlogszlogtype.url": "/authfail?smscustno=0000000128206230&begindate=20160106&enddate=20160106&start=1&limit=8",
"passlogszlogtype.httpversion": "http/1.1",
"passlogszlogtype.httpstatus": "200",
"passlogszlogtype.httpresplen": "54",
"passlogszlogtype.loguuidtype": "rtr"
},
{
"passlogszlogtype.logclass": "crdauxtrans.paas.cmbchina.cn",
"passlogszlogtype.message": "\"-\" \"jakarta commons-httpclient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logsource": "loggregator",
"appname": "paaslogsz",
"passlogszlogtype.uuid": "cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"timestamp": 1454309220805,
"hostname": "paassyslog01sz-0",
"tag": ["paas2.log", "paaslogs_sz_test"],
"raw_message": "jan 6 09:26:24 loggregator cf1416b1-8e9c-42ac-96fc-8b88e58f8a94[[rtr]] crdauxtrans.paas.cmbchina.cn - [06/01/2016:09:26:24 0000] \"post /authfail?smscustno=0000000128206230&begindate=20160106&enddate=20160106&start=1&limit=8 http/1.1\" 200 54 \"-\" \"jakarta commons-httpclient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logtimestamp": "06/01/2016:09:26:24 0000",
"passlogszlogtype.method": "post",
"passlogszlogtype.firsttimestamp": "jan 6 09:26:24",
"passlogszlogtype.url": "/authfail?smscustno=0000000128206230&begindate=20160106&enddate=20160106&start=1&limit=8",
"passlogszlogtype.httpversion": "http/1.1",
"passlogszlogtype.httpstatus": "200",
"passlogszlogtype.httpresplen": "54",
"passlogszlogtype.loguuidtype": "rtr"
}],
"_id_": 9,
"_duration": 112
}],
"fields": [
{
"type": "unkown",
"name": "hostname"
},
{
"type": "int",
"name": "_count"
},
{
"type": "long",
"name": "_duration"
},
{
"type": "transaction",
"name": "source"
}],
"result": true,
"total": 1,
"page": 0,
"size": 20
}