Dirty floor() workaround for multivalued fields
Given these non-integer values
| gentimes start=-1 increment=1h | stats list(eval(starttime/1000)) as times
run this :
... | eval times=mvjoin(times,";") | rex mode=sed field=times "s/\.[0-9]+//g" | eval times=split(times,";")
This is assuming that the times you have are in epoch format, but should work for other data formats too.
The other alternative is to mvzip up all your multivalued fields into a new field, mvexpand the new field, extract out the time field, perform your floor function on it, then join everything up again.
It emulates floor without having to split the values into seperate events
Dirtyfloor? can u explain a little bit
appreciating your effort,, but mvexpand is working only for one multivalue field extraction in one event,, but i have three ..
Perhaps using mvexpand
could solve your issue?
i am sorry for this late update,, but if there is only one value per event , then it is working,, wats wrong when extracting multiple values from same event
The following search will illustrate the different results you can expect from the floor, round
and ceil
functions. I've used the time as input, since you can easily reproduce the results.
* | head 1 | eval XX = _time / 1000000 | eval floorX = floor(XX) | eval r0X = round(XX,0) | eval r1X = round(XX,1) | eval r3X = round(XX,3) | eval ceilX = ceil(XX) | table XX, floorX, r0X, r1X, r3X, ceilX
/k
index=main source=bbb.txt field1=*| eval btime=round(b1time,2)|table field1 btime b1time
now btime firld is empty
i extracted it using MV_ADD option because all these field value come under one event i.e
[get_b1time]
REGEX=""
MV_ADD=true
it worked fine and b1time valuees are correct.
More details please? How is it not working? What search string are you using?