I have some BIG-IP data that I am ingesting as plain text files, as I can't directly connect to the BIG-IP servers due to security rules.
I have used regex field extractions to extract various data items at index-time, e.g. vs_pkts_in from props.conf:
EXTRACT-vs_pkts_in = VIRTUAL\s\w+\s+\w+\s+\w+\s+\|\s+\w+\s+\w+\s+\w+\s+\|\s+\(\w+,\s+\w+,\s+\w+,\s+\w+\)\s+=\s+\([\w.]+,\s+[\w.]+,\s+[\w.]+,\s+[\w.]+\)\s+\|\s+\(\w+,\w+\)\s+\w+\s+=\s+\((?P<vs_pkts_in>[\w.]+)
Unfortunately, this field value is recorded in various formats: 123, 1.23M, 1.23G and 1.23T. I have used the below search to convert the values into bytes, but so far I have been unable to work out how to apply this conversion at index-time, with the above extraction.
index=bigip
| makemv vs_pkts_in
| mvexpand vs_pkts_in
| rex field=vs_pkts_in "^(?<Value>[\d.]*)(?<Unit>[\w.]*)$"
| eval factor=case(Unit="B",1,Unit="K",1024,Unit="M",1024*1024,Unit="G",1024*1024*1024,Unit="T",1024*1024*1024*1024,true(),1)
| eval vs_pkts_in_bytes=Value*factor
I have approx 20 fields that this applies to, hence why I'd like to apply the conversion at index-time rather than search-time, as my search queries are very large.
Any help or advice on how to do this would be appreciated.
... View more