Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: フィールド内文字列の日付12ケタを抜き出して現時刻と比較し、一週間より前のものだけをレコード...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuusuke611
New Member
07-26-2019
01:52 AM
AWSの構成情報をSplunkに取り込んでいますが、AMIの取得日付が取り込みRowデータ自体に無い為、代替案として、AMIのnameに記載されている日付を取得して、本日日付と比較し、一週間以上前のものを取り出したいと思っています。どういうサーチ文を実行すればよいでしょうか。(以下、マスク部分はXXXXで書いてます。)
例)
source="*:ec2_images" AND aws_account_id="XXXXXXXXXXXX"
| dedup id
出力例) ※AMIの取得日付がなぜかない。。
{"owner_id": "XXXXXXXXXXXX", "instance_lifecycle": null, "ramdisk_id": null, "is_public": false, "description": "XXXXXXXXXXXX-201807301152-manual", "root_device_type": "ebs", "id": "ami-XXXXXXXXXXXX", "virtualization_type": "hvm", "account_id": "XXXXXXXXXXXX", "owner_alias": null, "type": "machine", "kernel_id": null, "state": "available", "sriov_net_support": "simple", "product_codes": [], "architecture": "x86_64", "location": "XXXXXXXXXXXX/XXXXXXXXXXXX-201807301152-manual", "billing_products": [], "region": "ap-northeast-1", "name": "XXXXXXXXXXXX-201807301152-manual", "hypervisor": "xen", "platform": null, "root_device_name": "/dev/xvda"}
代替案としてやりたいこと)
descriptionやnameフィールドの日付12ケタを抜き出して現時刻と比較し、一週間より前のものだけをレコード出力する
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
melonman
Motivator
08-01-2019
05:46 PM
@kamlesh_vaghela さんの回答に補足する形になりますが、
1. nameフィールドからrexで日付部分を取得したあと、
2. 現在時刻から1週間前の時刻(UNIX時間)と比較して、
3. where句でフィルタを行う
という流れでいけるとおもいますよ。
... your search to get events
| rex field=name "-(?<ami_cdatehour>\d{12})-"
| eval ami_ctime = strptime(ami_cdatehour,"%Y%m%d%H%M")
| eval a_week_ago = relative_time( now(), "-7d@d")
| where ami_ctime < a_week_ago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
melonman
Motivator
08-01-2019
05:46 PM
@kamlesh_vaghela さんの回答に補足する形になりますが、
1. nameフィールドからrexで日付部分を取得したあと、
2. 現在時刻から1週間前の時刻(UNIX時間)と比較して、
3. where句でフィルタを行う
という流れでいけるとおもいますよ。
... your search to get events
| rex field=name "-(?<ami_cdatehour>\d{12})-"
| eval ami_ctime = strptime(ami_cdatehour,"%Y%m%d%H%M")
| eval a_week_ago = relative_time( now(), "-7d@d")
| where ami_ctime < a_week_ago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
08-01-2019
09:06 PM
@yuusuke611 @melonman
すばらしいです。いずれにせよ私の答えが参考になるならば挨拶として支持してください。 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuusuke611
New Member
08-01-2019
05:51 PM
@kamlesh_vaghela さん、@melonman さん、回答ありがとうございました!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
melonman
Motivator
08-01-2019
06:15 PM
回答にAcceptしていただけるとありがたいです!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
07-26-2019
05:52 AM
@yuusuke611
You can extract your required data using rex command.
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex
Can you please try this for your specific case?
====================================
必要なデータは rexコマンドを使って取り出すことができます。
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rex
あなたの特定のケースでこれを試してください。
====================================
YOUR_SEARCH | rex field=name "-(?<date>\d{12})-" | eval epoch = strptime(date,"%Y%m%d%H%M"), readable=strftime(epoch,"%Y-%m-%d %H:%M")
My Sample Search:
| makeresults | eval _raw="{\"owner_id\": \"XXXXXXXXXXXX\", \"instance_lifecycle\": null, \"ramdisk_id\": null, \"is_public\": false, \"description\": \"XXXXXXXXXXXX-201807301152-manual\", \"root_device_type\": \"ebs\", \"id\" : \"ami-XXXXXXXXXXXX\", \"virtualization_type\": \"hvm\", \"account_id\": \"XXXXXXXXXXXX\", \"owner_alias\": null, \"type\": \"machine\", \"kernel_id\": null, \"state\": \"available\" , \"sriov_net_support\": \"simple\", \"product_codes\": [], \"architecture\": \"x86_64\", \"location\": \"XXXXXXXXXXXX / XXXXXXXXXXXX-201807301152-manual\", \"billing_products\": [], \"region\": \" ap-northeast-1 \",\" name \":\" XXXXXXXXXXXX-201807301152-manual \",\" hypervisor \":\" xen \",\" platform \": null,\" root_device_name \":\" / dev / xvda \"}" |kv | table description name | rex field=name "-(?<date>\d{12})-" | eval epoch = strptime(date,"%Y%m%d%H%M"), readable=strftime(epoch,"%Y-%m-%d %H:%M")
Thanks
Get Updates on the Splunk Community!
How to Monitor Google Kubernetes Engine (GKE)
We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...
Index This | How can you make 45 using only 4?
October 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Splunk Education Goes to Washington | Splunk GovSummit 2024
If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...
