I've been working on a complicated set of log files that collect performance stats for a number of counters.
The format for the logs files is :
[Source_Identifier]servername[TYPE]-instanceofcounter#counter#start_time_of_collection#end_time_of_collection#numSamples-__#MULIPLE_VALUES_SEPARATED_BY_Comma
Below is a sample :
[virtualserver]Server1.domain.com[HostSystem]-vmnic0#net.transmitted.average#2013-12-31T13:43:00EST#2013-12-31T13:57:40EST#numSamples-45#14,8,26,26,20,14,2,8,2,16,9,3,54,9,14,2,8,2,26,9,14,25,8,14,4,9,26,27,20,15,24,8,2,13,2,21,14,8,3,4,20,3,42,8,15
The field "perfmon_value" is a multivalue field, in this case there are it has 45 values. This value is captured every 20 seconds.
I created search that separates each value into a separate event by using the "mvexpand" command. The issue we have is that every event has the same _time value. This time should be incremented by 20secs for every value in the "perfmon_value" field. Is there a way to change the _time field for each event ?
Thank you for your assistance.
Try this
your base search giving fields _time, numSamples and Samples | eval counter=mvrange(0,numSamples) | eval Samples=split(Samples,",") | eval fields=mvzip(Samples,counter) | mvexpand fields | rex field=fields "(?<Samples>.*),(?<counter>.*)" | fields - fields,_raw | eval _time=_time + counter*20
Try this
your base search giving fields _time, numSamples and Samples | eval counter=mvrange(0,numSamples) | eval Samples=split(Samples,",") | eval fields=mvzip(Samples,counter) | mvexpand fields | rex field=fields "(?<Samples>.*),(?<counter>.*)" | fields - fields,_raw | eval _time=_time + counter*20
Somesoni2 - Thanks for the answer, and the introduction to the mvrange command.