All Apps and Add-ons

How do I import CSV with a single date time stamp for multiple events?

Explorer

I don't know if I am asking the question right but here goes...

I have a Dell MD3200i that I am importing the performance data from. I am monitoring from a CentOS 5.6 box where I can get this data into a CSV but the formatting is:

Header line

Iteration Value

Date/Time

Controller Slot 0 Data

Virtual Disk DATA

Virtual Disk DATA

Virtual Disk DATA

Controller Slot 1 Data

Virtual Disk Data

Storage Array Totals DATA

The Data repeats for each iteration. Is there a good way to index this since there is only the one timestamp per iteration? Can I strip out the iteration values somehow and make the timestamp apply to the entire set of values for that iteration?

I am new to splunk but am very happy with all the other data I can pull so far.

Any help is greatly appreciated. I had an idea that I could call it from a script on a single iteration at a time, but how would I set a different filename eachtime I called the command?
The command being used is as follows:

smcli -n nameOfSAN -c "set session performanceMonitorInterval=5 performanceMonitorIterations=5;save storageArray performanceStats file=\"Test.csv\";"

If I need to supply more information I am happy to do so.

Thanks in advance!

1 Solution

Builder

donwant,

If I am understanding this correctly, you should be able to create a multi-line event for each iteration by breaking on the Header line. Your events would be:

Event 1:
Header line
...
Storage Array Totals DATA

Event 2:
Header line
...
Storage Array Totals DATA

This would ensure that each event has a date/time. To accomplish this we set up the LINE_BREAKER property which is a regular expression describing your "Header line". Splunk will also automatically pick up your date/timestamp if it is within the first 150 characters of the event. If this is not going to be the case you can adjust MAX_TIMESTAMP_LOOKAHEAD:

## props.conf
[<your_sourcetype>]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)--Header Line Regex--
MAX_TIMESTAMP_LOOKAHEAD = 200

View solution in original post

0 Karma

Builder

donwant,

If I am understanding this correctly, you should be able to create a multi-line event for each iteration by breaking on the Header line. Your events would be:

Event 1:
Header line
...
Storage Array Totals DATA

Event 2:
Header line
...
Storage Array Totals DATA

This would ensure that each event has a date/time. To accomplish this we set up the LINE_BREAKER property which is a regular expression describing your "Header line". Splunk will also automatically pick up your date/timestamp if it is within the first 150 characters of the event. If this is not going to be the case you can adjust MAX_TIMESTAMP_LOOKAHEAD:

## props.conf
[<your_sourcetype>]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)--Header Line Regex--
MAX_TIMESTAMP_LOOKAHEAD = 200

View solution in original post

0 Karma

Explorer

I may need to do that later, but it looks like I just wasn't searching correctly or reporting correctly to get the results to show like I wanted.

0 Karma

Builder

That being the case you can break on the iteration value or date/time

0 Karma

Explorer

It only puts the header line once for the entire file.
Such that

Header Line

Event1:

Data

Event2:

Data

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!