https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61815#M8793 <P>Hello</P> <P>I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?</P> <PRE><CODE> total used free shared buffers cached </CODE></PRE> <P>Mem: 3820 3685 134 0 663 2115</P> <P>buffers/cache: 907 2913</P> <P>I did try using multikv</P> <PRE><CODE>multikv fields total free filter Mem buffers/cache </CODE></PRE> <P>But it doesn't give the data as expected.</P> <P>Data before the perl script was used to strip off few fields</P> <PRE><CODE> total used free shared buffers cached </CODE></PRE> <P>Mem: 3820 3666 154 0 658 1980</P> <P>-/+ buffers/cache: 1027 2793</P> <P>Swap: 2047 0 2047</P> <P>Total: 5868 3666 2202</P> <P>When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.</P> Wed, 12 Dec 2012 18:20:00 GMT theouhuios 2012-12-12T18:20:00Z https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61815#M8793 <P>Hello</P> <P>I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?</P> <PRE><CODE> total used free shared buffers cached </CODE></PRE> <P>Mem: 3820 3685 134 0 663 2115</P> <P>buffers/cache: 907 2913</P> <P>I did try using multikv</P> <PRE><CODE>multikv fields total free filter Mem buffers/cache </CODE></PRE> <P>But it doesn't give the data as expected.</P> <P>Data before the perl script was used to strip off few fields</P> <PRE><CODE> total used free shared buffers cached </CODE></PRE> <P>Mem: 3820 3666 154 0 658 1980</P> <P>-/+ buffers/cache: 1027 2793</P> <P>Swap: 2047 0 2047</P> <P>Total: 5868 3666 2202</P> <P>When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.</P> Wed, 12 Dec 2012 18:20:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61815#M8793 theouhuios 2012-12-12T18:20:00Z https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61816#M8794 <P>multikv is typically what would work. What results are you getting from using multikv?</P> Wed, 12 Dec 2012 18:29:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61816#M8794 sdaniels 2012-12-12T18:29:57Z https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61817#M8795 <P>I actually wrote a perl script to remove few things which weren't needed like -/+ in the output of free -tm command. I did that because of the issues in the multikv. It was considering -/+ buffers/cache as a value to total and this wasn't letting use any calculations.</P> Wed, 12 Dec 2012 18:37:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61817#M8795 theouhuios 2012-12-12T18:37:44Z https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61818#M8796 <P>Edited my first post with more info.</P> Wed, 12 Dec 2012 18:40:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61818#M8796 theouhuios 2012-12-12T18:40:14Z https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61819#M8797 <P>This should work, whether or not you use the Perl script. It will give you two field: <CODE>mem_total</CODE> and <CODE>cache_free</CODE></P> <PRE><CODE>yoursearchhere | rex "(?m)Mem:\s*(?&lt;mem_total&gt;\d+)\s*cache:\s*\d+\s+(?&lt;cache_free&gt;\d+)" </CODE></PRE> Thu, 13 Dec 2012 03:15:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61819#M8797 lguinn2 2012-12-13T03:15:43Z https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61820#M8798 <P>Nope. Even this isn't working. Should I just input the raw data instead of using a script to modify the data and format? Probably that's messing it up</P> Thu, 13 Dec 2012 15:05:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Extract-fields-with-multiple-values-in-raw-data/m-p/61820#M8798 theouhuios 2012-12-13T15:05:02Z