Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: I want to know whether Bob had se
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to know whether Bob had se
kawashita_t
Explorer
10-09-2016
10:42 PM
Please tell me the way of the binding of data.
I want to combine the two data.
These data How can you join?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-10-2016
06:26 AM
Assuming your data is already in splunk in two separate indexes, you could try something like this
base search to return all viewing data | eval viewstart=strptime(date."#".starttime, "%Y/%m/%d#%H%M") | eval viewend=strptime(date."#".endtime, "%Y/%m/%d#%H%M") | eval viewrange=mvrange(viewstart, viewend, "30m") | mvexpand viewrange | fields name viewrange ch viewend | append [search base search to return all programming data | eval viewstart=strptime(date."#".starttime, "%Y/%m/%d#%H%M") | eval viewend=strptime(date."#".endtime, "%Y/%m/%d#%H%M") | eval viewrange=mvrange(viewstart, viewend, "30m") | mvexpand viewrange | fields viewrange ch prog viewend ] | stats values(prog) as program values(viewend) as viewend values(name) as name by ch viewrange | dedup name viewend | rename viewrange as start viewend as end | eval date=strftime(start, "%Y/%m/%d") | eval start=strftime(start, "%H:%M") | eval end=strftime(end, "%H:%M") | table name date start end program
*OR
index=tv
| rename setai_no as name rt_code as ch
| eval viewstart=strptime(date."#".start_time, "%Y-%m-%d#%H%M")
| eval viewend=strptime(date."#".end_time, "%Y-%m-%d#%H%M")
| eval viewrange=mvrange(viewstart, viewend, "30m")
| mvexpand viewrange
| fields name viewrange ch viewend
| append [search index=tv_program
| rename BROADCAST_DATE as date START_TIME as starttime END_TIME as endtime PROGRAM_NAME as prog STATION_CODE as ch
| eval viewstart=strptime(date."#".starttime, "%Y/%m/%d#%H%M")
| eval viewend=strptime(date."#".endtime, "%Y/%m/%d#%H%M")
| eval viewrange=mvrange(viewstart, viewend, "30m")
| mvexpand viewrange
| fields viewrange ch prog viewend ]
| stats values(prog) as program values(viewend) as viewend values(name) as name by ch viewrange
| dedup name viewend
| rename viewrange as start viewend as end
| eval date=strftime(start, "%Y/%m/%d")
| eval start=strftime(start, "%H:%M")
| eval end=strftime(end, "%H:%M")
| table name date start end program
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kawashita_t
Explorer
10-10-2016
07:40 AM
Thank you for answering.
I tried, but it did not work.
Until the 「append ~~」 was operating properly.
I do not understand did not work the part.
One by one to confirm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-10-2016
07:52 AM
Please share your query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kawashita_t
Explorer
10-10-2016
02:01 PM
index=tv
| rename setai_no as name rt_code as ch
| eval viewstart=strptime(date."#".start_time, "%Y-%m-%d#%H%M")
| eval viewend=strptime(date."#".end_time, "%Y-%m-%d#%H%M")
| eval viewrange=mvrange(viewstart, viewend, "30m")
| mvexpand viewrange
| fields name viewrange ch viewend
| append [search index=tv_program
| rename BROADCAST_DATE as date START_TIME as starttime END_TIME as endtime PROGRAM_NAME as prog STATION_CODE as ch
| eval viewstart=strptime(date."#".starttime, "%Y/%m/%d#%H%M")
| eval viewend=strptime(date."#".endtime, "%Y/%m/%d#%H%M")
| eval viewrange=mvrange(viewstart, viewend, "30m")
| mvexpand viewrange
| fields viewrange ch prog viewend ]
| stats values(prog) as program values(viewend) as viewend by name ch viewrange
| dedup name viewend
| rename viewrange as start viewend as end
| eval date=strftime(start, "%Y/%m/%d")
| eval start=strftime(start, "%H:%M")
| eval end=strftime(end, "%H:%M")
| table name date start end program
This is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kawashita_t
Explorer
10-10-2016
02:23 PM
| stats values(prog) as program values(viewend) as viewend by name ch viewrange
This search content did not have the results.
「Viewrange」 it might cause.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-10-2016
02:52 PM
Try the updated query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kawashita_t
Explorer
10-10-2016
02:57 PM
Thank you.
i will try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kawashita_t
Explorer
10-10-2016
03:04 PM
Results come out but, "program" is not output.
Output Example:
Bob , 2016/10/10 , 0830 , 0930 ,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
10-10-2016
06:20 AM
index=tv_viewing_log |join channel date [search index=tv_program_data] |eval watched=if(startWatch>=startAir AND startWatch<=endAir,1,0)|search watched=1
where startWatch is 0800 is Time began to see, startAir is 0730 is Broadcast start time and endAir is 0900 is Broadcast end time in your example
maybe something like this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kawashita_t
Explorer
10-10-2016
06:55 AM
Thank you for answering.
I tried it but it did not work.
Have been combined in time and channel, data corresponding to the part of 「eval watched = ~~ 」is not.
Perhaps, because the date and channel is a plurality of the same data set.
Example)
1.TV viewing log
Example ) Bob , 2016/10/10 , 0800 , 0830 , 6ch
2.TV Prgram Data
Example )
2016/10/10,0500,0600,6ch,24 1st season ←←This data set is joined
2016/10/10,0730,0900,6ch,24 2nd season
2016/10/10,0930,1000,6ch,24 3rd season
Get Updates on the Splunk Community!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...
They're back! Join the SplunkTrust and MVP at .conf24
With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...
Enterprise Security Content Update (ESCU) | New Releases
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...
