Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: フィールド内文字列の日付12ケタを抜き出して現時刻と比較し、一週間より前のものだけをレコード...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuusuke611
New Member
07-26-2019
01:52 AM
AWSの構成情報をSplunkに取り込んでいますが、AMIの取得日付が取り込みRowデータ自体に無い為、代替案として、AMIのnameに記載されている日付を取得して、本日日付と比較し、一週間以上前のものを取り出したいと思っています。どういうサーチ文を実行すればよいでしょうか。(以下、マスク部分はXXXXで書いてます。)
例)
source="*:ec2_images" AND aws_account_id="XXXXXXXXXXXX"
| dedup id
出力例) ※AMIの取得日付がなぜかない。。
{"owner_id": "XXXXXXXXXXXX", "instance_lifecycle": null, "ramdisk_id": null, "is_public": false, "description": "XXXXXXXXXXXX-201807301152-manual", "root_device_type": "ebs", "id": "ami-XXXXXXXXXXXX", "virtualization_type": "hvm", "account_id": "XXXXXXXXXXXX", "owner_alias": null, "type": "machine", "kernel_id": null, "state": "available", "sriov_net_support": "simple", "product_codes": [], "architecture": "x86_64", "location": "XXXXXXXXXXXX/XXXXXXXXXXXX-201807301152-manual", "billing_products": [], "region": "ap-northeast-1", "name": "XXXXXXXXXXXX-201807301152-manual", "hypervisor": "xen", "platform": null, "root_device_name": "/dev/xvda"}
代替案としてやりたいこと)
descriptionやnameフィールドの日付12ケタを抜き出して現時刻と比較し、一週間より前のものだけをレコード出力する
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
melonman
Motivator
08-01-2019
05:46 PM
@kamlesh_vaghela さんの回答に補足する形になりますが、
1. nameフィールドからrexで日付部分を取得したあと、
2. 現在時刻から1週間前の時刻(UNIX時間)と比較して、
3. where句でフィルタを行う
という流れでいけるとおもいますよ。
... your search to get events
| rex field=name "-(?<ami_cdatehour>\d{12})-"
| eval ami_ctime = strptime(ami_cdatehour,"%Y%m%d%H%M")
| eval a_week_ago = relative_time( now(), "-7d@d")
| where ami_ctime < a_week_ago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
melonman
Motivator
08-01-2019
05:46 PM
@kamlesh_vaghela さんの回答に補足する形になりますが、
1. nameフィールドからrexで日付部分を取得したあと、
2. 現在時刻から1週間前の時刻(UNIX時間)と比較して、
3. where句でフィルタを行う
という流れでいけるとおもいますよ。
... your search to get events
| rex field=name "-(?<ami_cdatehour>\d{12})-"
| eval ami_ctime = strptime(ami_cdatehour,"%Y%m%d%H%M")
| eval a_week_ago = relative_time( now(), "-7d@d")
| where ami_ctime < a_week_ago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
08-01-2019
09:06 PM
@yuusuke611 @melonman
すばらしいです。いずれにせよ私の答えが参考になるならば挨拶として支持してください。 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuusuke611
New Member
08-01-2019
05:51 PM
@kamlesh_vaghela さん、@melonman さん、回答ありがとうございました!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
melonman
Motivator
08-01-2019
06:15 PM
回答にAcceptしていただけるとありがたいです!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
07-26-2019
05:52 AM
@yuusuke611
You can extract your required data using rex command.
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex
Can you please try this for your specific case?
====================================
必要なデータは rexコマンドを使って取り出すことができます。
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex
あなたの特定のケースでこれを試してください。
====================================
YOUR_SEARCH | rex field=name "-(?<date>\d{12})-" | eval epoch = strptime(date,"%Y%m%d%H%M"), readable=strftime(epoch,"%Y-%m-%d %H:%M")
My Sample Search:
| makeresults | eval _raw="{\"owner_id\": \"XXXXXXXXXXXX\", \"instance_lifecycle\": null, \"ramdisk_id\": null, \"is_public\": false, \"description\": \"XXXXXXXXXXXX-201807301152-manual\", \"root_device_type\": \"ebs\", \"id\" : \"ami-XXXXXXXXXXXX\", \"virtualization_type\": \"hvm\", \"account_id\": \"XXXXXXXXXXXX\", \"owner_alias\": null, \"type\": \"machine\", \"kernel_id\": null, \"state\": \"available\" , \"sriov_net_support\": \"simple\", \"product_codes\": [], \"architecture\": \"x86_64\", \"location\": \"XXXXXXXXXXXX / XXXXXXXXXXXX-201807301152-manual\", \"billing_products\": [], \"region\": \" ap-northeast-1 \",\" name \":\" XXXXXXXXXXXX-201807301152-manual \",\" hypervisor \":\" xen \",\" platform \": null,\" root_device_name \":\" / dev / xvda \"}" |kv | table description name | rex field=name "-(?<date>\d{12})-" | eval epoch = strptime(date,"%Y%m%d%H%M"), readable=strftime(epoch,"%Y-%m-%d %H:%M")
Thanks
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
