Good day Splunkers,
I have this table example consisting of 4 fields naming (src_ip, start_time, time_delta, avg_bytes)
example:
src_ip | start_time | time_delta | avg_bytes |
---|---|---|---|
1.2.3.4 | 1405305768 | 5 | 123.45 |
start_time and time_delta
? Where the number of this new rows is based on time_delta
and the value of this row is start_time + 1
. Looking at my example, we would create 4 new rows (based on time_delta-1
) the values of this rows would be 1405305768,1405305769,1405305770,1405305771,1405305772
src_ip | start_time | time_delta | avg_bytes |
---|---|---|---|
1.2.3.4 | 1405305768 | 5 | 123.45 |
1.2.3.4 | 1405305769 | 5 | 123.45 |
1.2.3.4 | 1405305770 | 5 | 123.45 |
1.2.3.4 | 1405305771 | 5 | 123.45 |
1.2.3.4 | 1405305772 | 5 | 123.45 |
I'm kinda lost now on my search, Is there a splunk search term for this kind of situation. It would be a great help.
Thanks !
What are you trying to do?
Append this to your search:
... | eval temp = mvrange(0,time_delta) | mvexpand temp | eval start_time = start_time + temp
Note, this will only work reasonably well for small positive values of time_delta
.
What are you trying to do?
Append this to your search:
... | eval temp = mvrange(0,time_delta) | mvexpand temp | eval start_time = start_time + temp
Note, this will only work reasonably well for small positive values of time_delta
.
Hi @martin_mueller the command works, I think I won't have a 50000 time delta. Thanks again, already marked your answer
50+ shouldn't be any issue. At some point you'll hit configured limits of mvexpand
, that might be 50000 or so.
Hi @martin_mueller, what I was trying to do is add some rows. What I have above is example of what output of report I would like to make. For your answer you have said that it will only work for some extent. I have time_delta values that ranges to 50+. But I will still try this and be back on the outcomes.