Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: 1レコード内の複数の連続したデータを取り出して結合する方法
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tonakano
Engager
10-21-2019
02:15 AM
ご教授ください。
1つのレコードのパラメータで連続したデータA[],B[],C[]があります。
これらのデータの中身の個数は同数であり、順番も連携しています。
それぞれを取り出して意味のあるデータData(A[1],B[1],C[1])という形でデータを成型した上で分析に使いたいのですが、
方法はありますでしょうか?
データのイメージ
1レコードの構成:A[0,1,2,3,4・・・],B[10,11,12,13,14,・・・],C[100,200,300,400,・・・]
やりたいこと
Data1[A[0],B[0],C[0]),Data2[A[1],B[1],C[1]),Data3[A[2],B[2],C[2]),・・・
という風に纏めたい。
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-22-2019
04:24 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval datas=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand datas
| fields datas
| streamstats count
| fields datas count
| eval field_name="Data_".count
| eval result = field_name."[".datas.")"
| stats values(result) as result
| eval final_result=mvjoin(result,",")
なんとか形になりました。こちらでどうでしょうか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-22-2019
04:24 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval datas=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand datas
| fields datas
| streamstats count
| fields datas count
| eval field_name="Data_".count
| eval result = field_name."[".datas.")"
| stats values(result) as result
| eval final_result=mvjoin(result,",")
なんとか形になりました。こちらでどうでしょうか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tonakano
Engager
10-23-2019
12:49 AM
SPLありがとうございます。
ただ、私の説明が悪く、、、申し訳ありません。
やりたかったことを再度補足させて頂きます。
上記SPLの resultの形でデータ化をしたかった感じです。
記載いただいたresultは
Data_1[0,10,100]
Data_2[1,11,200]
Data_3[2,12,300]
Data_4[3,13,400]
Data_5[4,14,500]
となると思います。私の質問だと確かにその通りだなと思うのですが、、、やりたかったことは
このData_1を列として、各値を行として成型したかったというのが、本当にやりたかったことです。
Data_1:0,10,100
Data_2:1,11,200
Data_3:2,12,300
Data_4:3,13,400
Data_5:4,14,500
このData_xは時間単位でまとめようとしていました。
色々工夫頂いたのに、元の説明が悪く申し訳ありません。
何か方法御座いますでしょうか?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-23-2019
01:28 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval tmp=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand tmp
| fields tmp
| rex field=tmp "(?<Data_A>\d+),(?<Data_B>\d+),(?<Data_C>\d+)"
| fields - tmp
Data_A Data_B Data_C
0 10 100
1 11 200
2 12 300
3 13 400
4 14 500
こんな感じでしょうか
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-23-2019
01:32 AM
| stats count
| eval raw="A[0,1,2,3,4],B[10,11,12,13,14],C[100,200,300,400,500]"
| fields - count
| eval raw=replace(raw,",(?=\w+\[)","#")
| makemv delim="#" raw
`comment("this is sample data")`
| rex field=raw "(?<field_name>[^\[]+)\[(?<data>[^\]]+)\]"
| eval Data_A=mvindex(data,0),Data_B=mvindex(data,1),Data_C=mvindex(data,2)
| foreach Data_*
[eval <<FIELD>> = split(<<FIELD>>,",")]
| eval datas=mvzip(Data_A,mvzip(Data_B,Data_C,","),",")
| mvexpand datas
| fields datas
| streamstats count
| fields datas count
| eval field_name="Data_".count
| rex field=datas "(?<Data_A>\d+),(?<Data_B>\d+),(?<Data_C>\d+)"
| fields field_name,Data_*
field_name Data_A Data_B Data_C
Data_1 0 10 100
Data_2 1 11 200
Data_3 2 12 300
Data_4 3 13 400
Data_5 4 14 500
こちらでしょうか
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tonakano
Engager
10-23-2019
01:06 AM
申し訳ありません。自己解決しました。
記載頂いたSPLの応用で達成できました。ありがとうございます。
(mvindexで分解しました。)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
10-23-2019
05:40 AM
了解です。
happy Splunking.
Get Updates on the Splunk Community!
.conf25 Community Recap
Hello Splunkers,
And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...
Splunk App Developers | .conf25 Recap & What’s Next
If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
