topic Re: KV_MODE = multi not capturing fields in Getting Data In

KV_MODE = multi not capturing fields

jamesvz84 — Mon, 28 Sep 2020 16:46:48 GMT

I am using the splunk for unix app and the KV_MODE = multi entry in props.conf is not working. For example, I am still getting the raw output of cpu.sh:

CPU    pctUser    pctNice  pctSystem  pctIowait    pctIdle
all       0.17       4.16       0.25       0.00      95.42
0         1.00       0.00       1.00       0.00      98.00
1         0.00      99.01       0.99       0.00       0.00
2         0.00       0.00       0.00       0.00     100.00
3         0.00       0.00       0.00       0.00     100.00
4         0.00       0.00       1.00       0.00      99.00
5         0.00       0.00       0.00       0.00     100.00
6         0.00       0.00       0.00       0.00     100.00
7         0.00       0.00       0.00       0.00     100.00
8         0.00       0.00       0.00       0.00     100.00
9         0.00       0.00       0.00       0.00     100.00
10        0.00       0.00       1.00       0.00      99.00
11        0.00       0.00       0.00       0.00     100.00
12        0.00       0.00       0.00       0.00     100.00
13        0.99       0.00       0.00       0.00      99.01
14        0.00       0.00       0.00       0.00     100.00
15        0.99       0.00       0.99       0.00      98.02
16        0.99       0.00       0.99       0.00      98.02
17        0.00       0.00       0.99       0.00      99.01
18        0.00       0.00       0.00       0.00     100.00
19        0.00       0.00       1.00       0.00      99.00
20        0.00       0.00       0.00       0.00     100.00
21        0.00       0.00       0.00       0.00     100.00
22        0.00       0.00       0.99       0.00      99.01
23        0.99       0.00       0.00       0.00      99.01

Here is my currect config in props.conf:

[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
CHECK_FOR_HEADER = true
FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src
FIELDALIAS-cpu_for_cpu = CPU as cpu
FIELDALIAS-idle_time_for_cpu = pctIdle AS PercentIdleTime
FIELDALIAS-nice_time_for_cpu = pctNice AS PercentNiceTime
FIELDALIAS-cpu_load_percent_for_cpu = pctSystem AS PercentSystemTime,pctSystem as cpu_load_percent
FIELDALIAS-cpu_user_percent_for_cpu = pctUser AS PercentUserTime,pctUser as cpu_user_percent
FIELDALIAS-wait_time_for_cpu = pctIowait AS PercentWaitTime

I've tried both with and without CHECK_FOR_HEADER = true , and also I tried putting the props.conf on the heavy forwarder (didn't work) and then on the indexer itself and made sure deployment server restarted the HF/indexer. Nothing has worked so far. Does anyone have any other ideas?

Re: KV_MODE = multi not capturing fields

jamesvz84 — Tue, 15 Jul 2014 20:51:16 GMT

I resolved this by splitting up the config. Half was put on Heavy Forwarder, half was put on Search Head. Then restarted both. Not sure why I had to do this, but it works:

On Heavy Forwarder

[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
CHECK_FOR_HEADER = true

On Search Head:

   [cpu]
    FIELDALIAS-dest_for_cpu = host as dest
    FIELDALIAS-src_for_cpu = host as src
    FIELDALIAS-cpu_for_cpu = CPU as cpu
    FIELDALIAS-idle_time_for_cpu = pctIdle AS PercentIdleTime
    FIELDALIAS-nice_time_for_cpu = pctNice AS PercentNiceTime
    FIELDALIAS-cpu_load_percent_for_cpu = pctSystem AS PercentSystemTime,pctSystem as cpu_load_percent
    FIELDALIAS-cpu_user_percent_for_cpu = pctUser AS PercentUserTime,pctUser as cpu_user_percent
    FIELDALIAS-wait_time_for_cpu = pctIowait AS PercentWaitTime

Re: KV_MODE = multi not capturing fields

jawaharas — Mon, 13 Jan 2020 05:59:03 GMT

In my case, the header line was having 'tab' character. After replacing the 'tab' characters with 'space' characters, the field extraction worked.