All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search time extract new _time for multivalue field

jorvinmartinez
New Member
‎02-07-2014 10:20 AM

I've been working on a complicated set of log files that collect performance stats for a number of counters.

The format for the logs files is :

[Source_Identifier]servername[TYPE]-instanceofcounter#counter#start_time_of_collection#end_time_of_collection#numSamples-__#MULIPLE_VALUES_SEPARATED_BY_Comma

Below is a sample :

[virtualserver]Server1.domain.com[HostSystem]-vmnic0#net.transmitted.average#2013-12-31T13:43:00EST#2013-12-31T13:57:40EST#numSamples-45#14,8,26,26,20,14,2,8,2,16,9,3,54,9,14,2,8,2,26,9,14,25,8,14,4,9,26,27,20,15,24,8,2,13,2,21,14,8,3,4,20,3,42,8,15

The field "perfmon_value" is a multivalue field, in this case there are it has 45 values. This value is captured every 20 seconds.

I created search that separates each value into a separate event by using the "mvexpand" command. The issue we have is that every event has the same _time value. This time should be incremented by 20secs for every value in the "perfmon_value" field. Is there a way to change the _time field for each event ?

Thank you for your assistance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2014 11:03 AM

Try this

your base search giving fields _time, numSamples and Samples | eval counter=mvrange(0,numSamples) | eval Samples=split(Samples,",") | eval fields=mvzip(Samples,counter) | mvexpand fields | rex field=fields "(?<Samples>.*),(?<counter>.*)" | fields - fields,_raw | eval _time=_time + counter*20

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-07-2014 11:03 AM

Try this

your base search giving fields _time, numSamples and Samples | eval counter=mvrange(0,numSamples) | eval Samples=split(Samples,",") | eval fields=mvzip(Samples,counter) | mvexpand fields | rex field=fields "(?<Samples>.*),(?<counter>.*)" | fields - fields,_raw | eval _time=_time + counter*20
0 Karma
Reply
Solved! Jump to solution

jorvinmartinez
New Member
‎02-07-2014 12:22 PM

Somesoni2 - Thanks for the answer, and the introduction to the mvrange command.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...