[GitHub] [openwhisk] mcdan commented on a change in pull request #5057: Sort Splunk logs by timestamp

Fri, 29 Jan 2021 16:57:22 -0800 


mcdan commented on a change in pull request #5057:
URL: https://github.com/apache/openwhisk/pull/5057#discussion_r567169122



##########
File path: 
common/scala/src/main/scala/org/apache/openwhisk/core/containerpool/logging/SplunkLogStore.scala
##########
@@ -114,12 +114,12 @@ class SplunkLogStore(
                          context: UserContext): Future[ActivationLogs] = {
 
     //example curl request:
-    //    curl -u  username:password -k 
https://splunkhost:port/services/search/jobs -d exec_mode=oneshot -d 
output_mode=json -d "search=search index=someindex | search namespace=guest | 
search activation_id=a930e5ae4ad4455c8f2505d665aad282 | spath=log_message | 
table log_message" -d "earliest_time=2017-08-29T12:00:00" -d 
"latest_time=2017-10-29T12:00:00"
+    //    curl -u  username:password -k 
https://splunkhost:port/services/search/jobs -d exec_mode=oneshot -d 
output_mode=json -d "search=search index=someindex | search namespace=guest | 
search activation_id=a930e5ae4ad4455c8f2505d665aad282 | spath=log_message | 
table log_message" -d "earliest_time=2017-08-29T12:00:00" -d 
"latest_time=2017-10-29T12:00:00 | sort - log_timestamp | reverse"
     //example response:
     //    
{"preview":false,"init_offset":0,"messages":[],"fields":[{"name":"log_message"}],"results":[{"log_message":"some
 log message"}], "highlighted":{}}
     //note: splunk returns results in reverse-chronological order, therefore 
we include "| reverse" to cause results to arrive in chronological order
     val search =
-      s"""search index="${splunkConfig.index}" | search 
${splunkConfig.queryConstraints} | search 
${splunkConfig.namespaceField}=${namespace} | search 
${splunkConfig.activationIdField}=${activationId} | spath 
${splunkConfig.logMessageField} | table ${splunkConfig.logTimestampField}, 
${splunkConfig.logStreamField}, ${splunkConfig.logMessageField} | reverse"""
+      s"""search index="${splunkConfig.index}" | search 
${splunkConfig.queryConstraints} | search 
${splunkConfig.namespaceField}=${namespace} | search 
${splunkConfig.activationIdField}=${activationId} | spath 
${splunkConfig.logMessageField} | table ${splunkConfig.logTimestampField}, 
${splunkConfig.logStreamField}, ${splunkConfig.logMessageField} | sort - 
log_timestamp | reverse"""

Review comment:
       Can we do `sort log_timestamp` and drop the reverse? The negated field 
changes the order, which is the same thing as the reverse, right?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to