topic Re: Extracting Fields Value in All Apps and Add-ons

Extracting Fields Value

nilampakhare — Mon, 28 Sep 2020 14:33:45 GMT

Jul 16 21:54:45 Phase 0 ended (692 seconds)

CPU Time Status Skew Vertex

0.033 [ : 1] 0% Audit.Gather_Logs

0.097 [ : 1] 0% Audit.Start_Process_Step_Phase5_Run_SQL

5.409 [ :12] 0% DLY_INT_Processed_format

1.433 [ :12] 0% FUNC_INT_Processed_format

3.482 [ :12] 0% Filter_non_func_records

6.751 [ :12] 0% PTD_INT_Processed_format

16.066 [ :12] 0% Partition_and_Re_Sort_by_Firm_Acct_DLY.Partition_by_Key

Here in the above index i m not able to extract CPU Time that is all the values ...Only few of the values are being extracted like 0.033 and 0.097..Here I m not able to extract the complete set of values ..Please have a glance..

Re: Extracting Fields Value

kml_uvce — Wed, 14 Aug 2013 08:16:58 GMT

can you try this...

your search |rex "(?i)^(?P[^ ]+)" |table field_name

Re: Extracting Fields Value

lcrielaa — Wed, 14 Aug 2013 08:21:29 GMT

"^\d+.\d+" as a regex will match any (1 or more) digit(s), then a period (.) and then another (1 or more) digit(s) at the beginning of a line.

Re: Extracting Fields Value

MarioM — Wed, 14 Aug 2013 08:30:45 GMT

Have you tried:

... | multikv fields "CPU Time" "Status" "Skew Vertex"

Re: Extracting Fields Value

nilampakhare — Wed, 14 Aug 2013 08:54:37 GMT

Here in this example I am not able to extract the values only for CPU Time...So here in this query in place of field_name , what do I need to mention ???

Re: Extracting Fields Value

nilampakhare — Wed, 14 Aug 2013 08:57:29 GMT

But for using multikv ..I need to extract the fields such as CPU Time ,Status ,etc ..r8 ?? In this case I am not able to extract the fields itself ...Can u please guide me through this..

Re: Extracting Fields Value

MarioM — Wed, 14 Aug 2013 10:00:14 GMT

it will depends on the original format of the data and the format in splunk...
You can try "... | multikv forceheader=2" 2 being the line number of the fields name as you see in splunk.
If still not working you can configure a multikv.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Multikvconf

Re: Extracting Fields Value

linu1988 — Mon, 28 Sep 2020 14:33:56 GMT

If you are not having field names, you can use _raw for calculation.

You can make a |mvexpand _raw|rex field=_raw "?\d+.\d+"

Re: Extracting Fields Value

kml_uvce — Mon, 28 Sep 2020 14:33:59 GMT

If I understand, you want to extract CPU time values (0.033, 0.097,5.409 etc) in a field and each line in above data is an event, in query you will get field_name with these values...
your search |rex "(?i)^(?P[^ ]+)" |table cpu_time