Databases Reference
In-Depth Information
Piping that through
table _time network t
, we see:
As you can see, we have our actual
_time
, which Splunk always draws according to
the user's preferences, then our
network
value, and then the two values for
t
created
using
mvappend
. Now we can expand each event into two events, so that we have a
start and end event:
sourcetype=impl_splunk_gen network="*"
| eval endtime=_time+2
| eval t=mvappend(_time,endtime)
| mvexpand t
mvexpand
replicates each event for each value in the field specified. In our case,
each event will create two events, as
t
always contains two values. All other fields
are copied into the new event. With the addition of
table _time network t
, our
events now look like this:
Search WWH ::
Custom Search