Hi, I'm currently performing an evaluation on Splunk, so I am very new at this. I have a few questions concerning time stamps and combining fields.
Here is an example from the top of my data file:
Start Time: (September 11; 2009 11:19:0 am)
DataValue1,,DataValue2
601 ,45.416000 501 ,2.989220
1080 ,1000.03 980 ,1.124074
1200 ,45.483101 1080 ,2.946390
1741 ,992.955017 1671 ,1.124074
My file contains a single timestamp for the beginning of the log and then each data value is paired with a millisecond offset from that initial time. The first value is the offset and immediately after that is the parameter value. The offset and the value are always separated by a comma and individual "offset,value" groups are separated by a tab.
I would like to create the following data format within Splunk:
timestamp DataValue1 DataValue2
09/11/2009 11:19:00.501 null 2.989220
09/11/2009 11:19:00.601 45.416000 null
09/11/2009 11:19:00.980 null 1.124074
09/11/2009 11:19:01.080 1000.03 2.946390
09/11/2009 11:19:01.200 45.483101 null
09/11/2009 11:19:01.671 null 1.124074
09/11/2009 11:19:01.741 992.955017 null
I've been able to modify my props and transform to include basic header/field info but so far I am at a loss for how to do this type of field manipulation.
... View more