Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: 1レコード内の複数の連続したデータを取り出して結合する方法
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tonakano
Engager
10-21-2019
02:15 AM
ご教授ください。
1つのレコードのパラメータで連続したデータA[],B[],C[]があります。
これらのデータの中身の個数は同数であり、順番も連携しています。
それぞれを取り出して意味のあるデータData(A[1],B[1],C[1])という形でデータを成型した上で分析に使いたいのですが、
方法はありますでしょうか?
データのイメージ
1レコードの構成:A[0,1,2,3,4・・・],B[10,11,12,13,14,・・・],C[100,200,300,400,・・・]
やりたいこと
Data1[A[0],B[0],C[0]),Data2[A[1],B[1],C[1]),Data3[A[2],B[2],C[2]),・・・
という風に纏めたい。
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-22-2019
04:24 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval datas=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand datas
| fields datas
| streamstats count
| fields datas count
| eval field_name="Data_".count
| eval result = field_name."[".datas.")"
| stats values(result) as result
| eval final_result=mvjoin(result,",")
なんとか形になりました。こちらでどうでしょうか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-22-2019
04:24 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval datas=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand datas
| fields datas
| streamstats count
| fields datas count
| eval field_name="Data_".count
| eval result = field_name."[".datas.")"
| stats values(result) as result
| eval final_result=mvjoin(result,",")
なんとか形になりました。こちらでどうでしょうか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tonakano
Engager
10-23-2019
12:49 AM
SPLありがとうございます。
ただ、私の説明が悪く、、、申し訳ありません。
やりたかったことを再度補足させて頂きます。
上記SPLの resultの形でデータ化をしたかった感じです。
記載いただいたresultは
Data_1[0,10,100]
Data_2[1,11,200]
Data_3[2,12,300]
Data_4[3,13,400]
Data_5[4,14,500]
となると思います。私の質問だと確かにその通りだなと思うのですが、、、やりたかったことは
このData_1を列として、各値を行として成型したかったというのが、本当にやりたかったことです。
Data_1:0,10,100
Data_2:1,11,200
Data_3:2,12,300
Data_4:3,13,400
Data_5:4,14,500
このData_xは時間単位でまとめようとしていました。
色々工夫頂いたのに、元の説明が悪く申し訳ありません。
何か方法御座いますでしょうか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-23-2019
01:28 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval tmp=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand tmp
| fields tmp
| rex field=tmp "(?<Data_A>\d+),(?<Data_B>\d+),(?<Data_C>\d+)"
| fields - tmp
Data_A Data_B Data_C
0 10 100
1 11 200
2 12 300
3 13 400
4 14 500
こんな感じでしょうか
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-23-2019
01:32 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval datas=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand datas
| fields datas
| streamstats count
| fields datas count
| eval field_name="Data_".count
| rex field=datas "(?<Data_A>\d+),(?<Data_B>\d+),(?<Data_C>\d+)"
| fields field_name,Data_*
field_name Data_A Data_B Data_C
Data_1 0 10 100
Data_2 1 11 200
Data_3 2 12 300
Data_4 3 13 400
Data_5 4 14 500
こちらでしょうか
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tonakano
Engager
10-23-2019
01:06 AM
申し訳ありません。自己解決しました。
記載頂いたSPLの応用で達成できました。ありがとうございます。
(mvindexで分解しました。)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-23-2019
05:40 AM
了解です。
happy Splunking.
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
