All Apps and Add-ons

How do I import CSV with a single date time stamp for multiple events?

Explorer

I don't know if I am asking the question right but here goes...

I have a Dell MD3200i that I am importing the performance data from. I am monitoring from a CentOS 5.6 box where I can get this data into a CSV but the formatting is:

Header line

Iteration Value

Date/Time

Controller Slot 0 Data

Virtual Disk DATA

Virtual Disk DATA

Virtual Disk DATA

Controller Slot 1 Data

Virtual Disk Data

Storage Array Totals DATA

The Data repeats for each iteration. Is there a good way to index this since there is only the one timestamp per iteration? Can I strip out the iteration values somehow and make the timestamp apply to the entire set of values for that iteration?

I am new to splunk but am very happy with all the other data I can pull so far.

Any help is greatly appreciated. I had an idea that I could call it from a script on a single iteration at a time, but how would I set a different filename eachtime I called the command?
The command being used is as follows:

smcli -n nameOfSAN -c "set session performanceMonitorInterval=5 performanceMonitorIterations=5;save storageArray performanceStats file=\"Test.csv\";"

If I need to supply more information I am happy to do so.

Thanks in advance!

1 Solution

Builder

donwant,

If I am understanding this correctly, you should be able to create a multi-line event for each iteration by breaking on the Header line. Your events would be:

Event 1:
Header line
...
Storage Array Totals DATA

Event 2:
Header line
...
Storage Array Totals DATA

This would ensure that each event has a date/time. To accomplish this we set up the LINE_BREAKER property which is a regular expression describing your "Header line". Splunk will also automatically pick up your date/timestamp if it is within the first 150 characters of the event. If this is not going to be the case you can adjust MAX_TIMESTAMP_LOOKAHEAD:

## props.conf
[<your_sourcetype>]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)--Header Line Regex--
MAX_TIMESTAMP_LOOKAHEAD = 200

View solution in original post

0 Karma

Builder

donwant,

If I am understanding this correctly, you should be able to create a multi-line event for each iteration by breaking on the Header line. Your events would be:

Event 1:
Header line
...
Storage Array Totals DATA

Event 2:
Header line
...
Storage Array Totals DATA

This would ensure that each event has a date/time. To accomplish this we set up the LINE_BREAKER property which is a regular expression describing your "Header line". Splunk will also automatically pick up your date/timestamp if it is within the first 150 characters of the event. If this is not going to be the case you can adjust MAX_TIMESTAMP_LOOKAHEAD:

## props.conf
[<your_sourcetype>]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)--Header Line Regex--
MAX_TIMESTAMP_LOOKAHEAD = 200

View solution in original post

0 Karma

Explorer

I may need to do that later, but it looks like I just wasn't searching correctly or reporting correctly to get the results to show like I wanted.

0 Karma

Builder

That being the case you can break on the iteration value or date/time

0 Karma

Explorer

It only puts the header line once for the entire file.
Such that

Header Line

Event1:

Data

Event2:

Data

0 Karma