I don't know if I am asking the question right but here goes...
I have a Dell MD3200i that I am importing the performance data from. I am monitoring from a CentOS 5.6 box where I can get this data into a CSV but the formatting is:
Header line
Iteration Value
Date/Time
Controller Slot 0 Data
Virtual Disk DATA
Virtual Disk DATA
Virtual Disk DATA
Controller Slot 1 Data
Virtual Disk Data
Storage Array Totals DATA
The Data repeats for each iteration. Is there a good way to index this since there is only the one timestamp per iteration? Can I strip out the iteration values somehow and make the timestamp apply to the entire set of values for that iteration?
I am new to splunk but am very happy with all the other data I can pull so far.
Any help is greatly appreciated. I had an idea that I could call it from a script on a single iteration at a time, but how would I set a different filename eachtime I called the command?
The command being used is as follows:
smcli -n nameOfSAN -c "set session performanceMonitorInterval=5 performanceMonitorIterations=5;save storageArray performanceStats file=\"Test.csv\";"
If I need to supply more information I am happy to do so.
Thanks in advance!
donwant,
If I am understanding this correctly, you should be able to create a multi-line event for each iteration by breaking on the Header line. Your events would be:
Event 1:
Header line
...
Storage Array Totals DATA
Event 2:
Header line
...
Storage Array Totals DATA
This would ensure that each event has a date/time. To accomplish this we set up the LINE_BREAKER property which is a regular expression describing your "Header line". Splunk will also automatically pick up your date/timestamp if it is within the first 150 characters of the event. If this is not going to be the case you can adjust MAX_TIMESTAMP_LOOKAHEAD
:
## props.conf
[<your_sourcetype>]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)--Header Line Regex--
MAX_TIMESTAMP_LOOKAHEAD = 200
donwant,
If I am understanding this correctly, you should be able to create a multi-line event for each iteration by breaking on the Header line. Your events would be:
Event 1:
Header line
...
Storage Array Totals DATA
Event 2:
Header line
...
Storage Array Totals DATA
This would ensure that each event has a date/time. To accomplish this we set up the LINE_BREAKER property which is a regular expression describing your "Header line". Splunk will also automatically pick up your date/timestamp if it is within the first 150 characters of the event. If this is not going to be the case you can adjust MAX_TIMESTAMP_LOOKAHEAD
:
## props.conf
[<your_sourcetype>]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)--Header Line Regex--
MAX_TIMESTAMP_LOOKAHEAD = 200
I may need to do that later, but it looks like I just wasn't searching correctly or reporting correctly to get the results to show like I wanted.
That being the case you can break on the iteration value or date/time
It only puts the header line once for the entire file.
Such that
Header Line
Event1:
Data
Event2:
Data