All Apps and Add-ons

Search time extract new _time for multivalue field

jorvinmartinez
New Member

I've been working on a complicated set of log files that collect performance stats for a number of counters.

The format for the logs files is :

[Source_Identifier]servername[TYPE]-instanceofcounter#counter#start_time_of_collection#end_time_of_collection#numSamples-__#MULIPLE_VALUES_SEPARATED_BY_Comma

Below is a sample :

[virtualserver]Server1.domain.com[HostSystem]-vmnic0#net.transmitted.average#2013-12-31T13:43:00EST#2013-12-31T13:57:40EST#numSamples-45#14,8,26,26,20,14,2,8,2,16,9,3,54,9,14,2,8,2,26,9,14,25,8,14,4,9,26,27,20,15,24,8,2,13,2,21,14,8,3,4,20,3,42,8,15

The field "perfmon_value" is a multivalue field, in this case there are it has 45 values. This value is captured every 20 seconds.

I created search that separates each value into a separate event by using the "mvexpand" command. The issue we have is that every event has the same _time value. This time should be incremented by 20secs for every value in the "perfmon_value" field. Is there a way to change the _time field for each event ?

Thank you for your assistance.

0 Karma
1 Solution

somesoni2
Revered Legend

Try this

your base search giving fields _time, numSamples and Samples | eval counter=mvrange(0,numSamples) | eval Samples=split(Samples,",") | eval fields=mvzip(Samples,counter) | mvexpand fields | rex field=fields "(?<Samples>.*),(?<counter>.*)" | fields - fields,_raw | eval _time=_time + counter*20

View solution in original post

0 Karma

somesoni2
Revered Legend

Try this

your base search giving fields _time, numSamples and Samples | eval counter=mvrange(0,numSamples) | eval Samples=split(Samples,",") | eval fields=mvzip(Samples,counter) | mvexpand fields | rex field=fields "(?<Samples>.*),(?<counter>.*)" | fields - fields,_raw | eval _time=_time + counter*20
0 Karma

jorvinmartinez
New Member

Somesoni2 - Thanks for the answer, and the introduction to the mvrange command.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...