因为SPL查询结果非常灵活,为了便于API调用者进行针对性的处理,将结果类型分为”QUERY”, “STATS”, “TRANSACTION“三类。
type为”QUEYR”,此类表明:
| 举例如请求query=”* | eval app=appname | eval rawlen=len(raw_message)”。 |
{
"rows": [{
"passlogszlogtype.logclass": "CrdAuxTrans.paas.cmbchina.cn",
"passlogszlogtype.logsource": "loggregator",
"appname": "paaslogsz",
"passlogszlogtype.uuid": "cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"timestamp": 1454312663585,
"hostname": "PaaSSyslog01SZ-0",
"tag": ["paas2.log", "paaslogs_sz_test"],
"passlogszlogtype.logtimestamp": "06/01/2016:09:26:24 +0000",
"passlogszlogtype.method": "POST",
"passlogszlogtype.firsttimestamp": "Jan 6 09:26:24",
"passlogszlogtype.url": "/authFail?smsCustNo=0000000128206230&beginDate=20160106&endDate=20160106&start=1&limit=8",
"passlogszlogtype.httpversion": "HTTP/1.1",
"passlogszlogtype.httpstatus": "200",
"passlogszlogtype.httpresplen": "54",
"passlogszlogtype.loguuidtype": "RTR"
}],
"fields": [
{
"type": "UNKOWN",
"name": "passlogszlogtype.httpversion"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.method"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.uuid"
},
{
"type": "UNKOWN",
"name": "tag"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.logsource"
},
{
"type": "UNKOWN",
"name": "hostname"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.httpresplen"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.httpstatus"
},
{
"type": "UNKOWN",
"name": "timestamp"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.loguuidtype"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.logtimestamp"
},
{
"type": "UNKOWN",
"name": "appname"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.logclass"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.firsttimestamp"
},
{
"type": "UNKOWN",
"name": "passlogszlogtype.url"
}],
"result": true,
"total": 311184,
"page": 0,
"size": 20
}| type=”STATS”,此类表明返回结果是一次统计计算的结果,是比较简单的表格返回形式。比如当query=”eval rawlen=len(raw_message) | stats avg(rawlen) as arl by hostname | sort by arl” |
{
"rows": [
{
"hostname": "PaaSSyslog01SZ-0",
"arl": 11
}],
"fields": [
{
"type": "UNKOWN",
"name": "hostname"
},
{
"type": "DOUBLE",
"name": "arl"
}],
"total": 1,
"type": "STATS",
"result": true
}type=”TRANSACTION”,此类表明返回结果是一次transaction聚合操作的结果。
source字段中。source字段是一个数组,数组的每个元素是原始事件的展开形式。_count字段代表这一行的原始事件有多少条。_duration字段代表原始事件的时间跨度。max_timestamp, min_timestamp两个辅助字段代表原始事件的起止时间。其差等于_duration的值。| 举例如query=”* | transaction hostname maxopenevents=100 maxevents=2” |
{
"rows": [{
"_count": 10,
"max_timestamp": 1454309220904,
"hostname": "PaaSSyslog01SZ-0",
"min_timestamp": 1454309220792,
"source": [
{
"passlogszlogtype.logclass": "CrdAuxTrans.paas.cmbchina.cn",
"passlogszlogtype.message": "\"-\" \"Jakarta Commons-HttpClient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logsource": "loggregator",
"appname": "paaslogsz",
"passlogszlogtype.uuid": "cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"timestamp": 1454309220792,
"hostname": "PaaSSyslog01SZ-0",
"tag": ["paas2.log", "paaslogs_sz_test"],
"raw_message": "Jan 6 09:26:24 loggregator cf1416b1-8e9c-42ac-96fc-8b88e58f8a94[[RTR]] CrdAuxTrans.paas.cmbchina.cn - [06/01/2016:09:26:24 +0000] \"POST /authFail?smsCustNo=0000000128206230&beginDate=20160106&endDate=20160106&start=1&limit=8 HTTP/1.1\" 200 54 \"-\" \"Jakarta Commons-HttpClient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logtimestamp": "06/01/2016:09:26:24 +0000",
"passlogszlogtype.method": "POST",
"passlogszlogtype.firsttimestamp": "Jan 6 09:26:24",
"passlogszlogtype.url": "/authFail?smsCustNo=0000000128206230&beginDate=20160106&endDate=20160106&start=1&limit=8",
"passlogszlogtype.httpversion": "HTTP/1.1",
"passlogszlogtype.httpstatus": "200",
"passlogszlogtype.httpresplen": "54",
"passlogszlogtype.loguuidtype": "RTR"
},
{
"passlogszlogtype.logclass": "CrdAuxTrans.paas.cmbchina.cn",
"passlogszlogtype.message": "\"-\" \"Jakarta Commons-HttpClient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logsource": "loggregator",
"appname": "paaslogsz",
"passlogszlogtype.uuid": "cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"timestamp": 1454309220805,
"hostname": "PaaSSyslog01SZ-0",
"tag": ["paas2.log", "paaslogs_sz_test"],
"raw_message": "Jan 6 09:26:24 loggregator cf1416b1-8e9c-42ac-96fc-8b88e58f8a94[[RTR]] CrdAuxTrans.paas.cmbchina.cn - [06/01/2016:09:26:24 +0000] \"POST /authFail?smsCustNo=0000000128206230&beginDate=20160106&endDate=20160106&start=1&limit=8 HTTP/1.1\" 200 54 \"-\" \"Jakarta Commons-HttpClient/3.1\" 10.1.142.17:57464 x_forwarded_for:\"10.1.142.17\" vcap_request_id:9c363702-4f26-4351-6038-84314f4398bd response_time:0.003147837 app_id:cf1416b1-8e9c-42ac-96fc-8b88e58f8a94",
"passlogszlogtype.logtimestamp": "06/01/2016:09:26:24 +0000",
"passlogszlogtype.method": "POST",
"passlogszlogtype.firsttimestamp": "Jan 6 09:26:24",
"passlogszlogtype.url": "/authFail?smsCustNo=0000000128206230&beginDate=20160106&endDate=20160106&start=1&limit=8",
"passlogszlogtype.httpversion": "HTTP/1.1",
"passlogszlogtype.httpstatus": "200",
"passlogszlogtype.httpresplen": "54",
"passlogszlogtype.loguuidtype": "RTR"
}],
"_id_": 9,
"_duration": 112
}],
"fields": [
{
"type": "UNKOWN",
"name": "hostname"
},
{
"type": "INT",
"name": "_count"
},
{
"type": "LONG",
"name": "_duration"
},
{
"type": "TRANSACTION",
"name": "source"
}],
"result": true,
"total": 1,
"page": 0,
"size": 20
}