Dirty floor() workaround for multivalued fields
Given these non-integer values
| gentimes start=-1 increment=1h | stats list(eval(starttime/1000)) as times
run this :
... | eval times=mvjoin(times,";") | rex mode=sed field=times "s/\.[0-9]+//g" | eval times=split(times,";")
This is assuming that the times you have are in epoch format, but should work for other data formats too.
The other alternative is to mvzip up all your multivalued fields into a new field, mvexpand the new field, extract out the time field, perform your floor function on it, then join everything up again.
The following search will illustrate the different results you can expect from the
floor, round and
ceil functions. I've used the time as input, since you can easily reproduce the results.
* | head 1 | eval XX = _time / 1000000 | eval floorX = floor(XX) | eval r0X = round(XX,0) | eval r1X = round(XX,1) | eval r3X = round(XX,3) | eval ceilX = ceil(XX) | table XX, floorX, r0X, r1X, r3X, ceilX
index=main source=bbb.txt field1=*| eval btime=round(b1time,2)|table field1 btime b1time
now btime firld is empty
i extracted it using MV_ADD option because all these field value come under one event i.e
it worked fine and b1time valuees are correct.