Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- 時間範囲内にあるイベントを検索したい。
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asukaka
Engager
12-15-2020
05:29 PM
教えてください。
STARTとENDの時間範囲のあるCSVを作成し、その範囲内にあるイベントを数えたいのですが、どのようにクエリを書けばよいでしょうか
<pre>
started,completed
2020/10/2 08:00,2020/10/2 10:00
2020/10/2 11:00,2020/10/2 11:30
2020/10/2 12:00,2020/10/2 12:30
2020/10/2 15:00,2020/10/2 16:00
2020/10/2 16:00,2020/10/2 18:00
2020/10/2 18:00,2020/10/2 19:00
2020/10/2 10:00,2020/10/2 22:00
</pre>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-17-2020
12:22 PM
sample:
| makeresults
| eval _raw="started,completed
2020/10/2 08:00,2020/10/2 10:00
2020/10/2 11:00,2020/10/2 11:30
2020/10/2 12:00,2020/10/2 12:30
2020/10/2 15:00,2020/10/2 16:00
2020/10/2 16:00,2020/10/2 18:00
2020/10/2 18:00,2020/10/2 19:00
2020/10/2 10:00,2020/10/2 22:00"
| multikv forceheader=1
| table started,completed
| foreach * [eval <<FIELD>>=strptime('<<FIELD>>', "%Y/%m/%d %H:%M")]
| rename started as earliest, completed as latest
| format "" "(" "" ")" "OR" ""
format使用することで、検索範囲を上記の通り作成することができます。
index=yours "search項目" [| inputlookup your_csv | table started,completed
| foreach * [eval <<FIELD>>=strptime('<<FIELD>>', "%Y/%m/%d %H:%M")]
| rename started as earliest, completed as latest
| format "" "(" "" ")" "OR" ""]こちらではどうですか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-17-2020
12:22 PM
sample:
| makeresults
| eval _raw="started,completed
2020/10/2 08:00,2020/10/2 10:00
2020/10/2 11:00,2020/10/2 11:30
2020/10/2 12:00,2020/10/2 12:30
2020/10/2 15:00,2020/10/2 16:00
2020/10/2 16:00,2020/10/2 18:00
2020/10/2 18:00,2020/10/2 19:00
2020/10/2 10:00,2020/10/2 22:00"
| multikv forceheader=1
| table started,completed
| foreach * [eval <<FIELD>>=strptime('<<FIELD>>', "%Y/%m/%d %H:%M")]
| rename started as earliest, completed as latest
| format "" "(" "" ")" "OR" ""
format使用することで、検索範囲を上記の通り作成することができます。
index=yours "search項目" [| inputlookup your_csv | table started,completed
| foreach * [eval <<FIELD>>=strptime('<<FIELD>>', "%Y/%m/%d %H:%M")]
| rename started as earliest, completed as latest
| format "" "(" "" ")" "OR" ""]こちらではどうですか?
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
