I've been working on a complicated set of log files that collect performance stats for a number of counters.

The format for the logs files is :

[Source_Identifier]servername[TYPE]-instanceofcounter#counter#start_time_of_collection#end_time_of_collection#numSamples-__#MULIPLE_VALUES_SEPARATED_BY_Comma

Below is a sample :

[virtualserver]Server1.domain.com[HostSystem]-vmnic0#net.transmitted.average#2013-12-31T13:43:00EST#2013-12-31T13:57:40EST#numSamples-45#14,8,26,26,20,14,2,8,2,16,9,3,54,9,14,2,8,2,26,9,14,25,8,14,4,9,26,27,20,15,24,8,2,13,2,21,14,8,3,4,20,3,42,8,15

The field "perfmon_value" is a multivalue field, in this case there are it has 45 values. This value is captured every 20 seconds.

I created search that separates each value into a separate event by using the "mvexpand" command. The issue we have is that every event has the same _time value. This time should be incremented by 20secs for every value in the "perfmon_value" field. Is there a way to change the _time field for each event ?

Thank you for your assistance.