https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97251#M97485 <P>School|Month|SubjectA|SubjectB is the first line in my data and there are no empty lines before.</P> <P>my inputs.conf</P> <PRE><CODE>[monitor:///opt/testdata/multikv] disabled = false followTail = 0 host = datav1 index = multikv sourcetype = datav1 </CODE></PRE> <P>"index=multikv sourcetype=datav1" gives only 1 event which is the 4 lines of my data (1 header, 3 data)<BR /> &nbsp;</P> <P>"index=multikv sourcetype=datav1 | multikv conf=testmultikv | table School Month SubjectA SubjectB" gives "No results found"<BR /> &nbsp;</P> <P>I'm running Splunk 5.0.2, build 149561.</P> Mon, 13 May 2013 00:15:50 GMT Parameshwara 2013-05-13T00:15:50Z https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97247#M97481 <P>multikv.conf</P> <PRE><CODE>[testmultikv] pre.linecount = 1 header.linecount = 1 header.tokens = _tokenize_, -1, "1" body.tokens = _tokenize_, 0, "1" </CODE></PRE> <P>Sample data file:</P> <PRE><CODE>School|Month|Subject_A_Score|Subject_B_Score SchoolA|January|0|20 SchoolB|January|50|99 SchoolC|January|11|88 ... </CODE></PRE> <P>Search:</P> <PRE><CODE>index=xxx | multikv conf=testmultikv | table School Month Subject... </CODE></PRE> <P>Search results does not pick up the defined fields. What is missing in the configuration file?</P> Wed, 17 Apr 2013 07:11:51 GMT https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97247#M97481 Parameshwara 2013-04-17T07:11:51Z https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97248#M97482 <P>A working configuration for multikv.conf is:</P> <PRE><CODE>[testmultikv] header.linecount = 1 header.tokens = _tokenize_, -1, "|" body.tokens = _tokenize_, 0, "|" </CODE></PRE> <P>(no pre section, and "|" (pipe) instead of "1" (one))</P> <P>And you have to ensure that your whole data file will be indexed as one event, because multikv works on "table-formatted events".</P> <P>The whole "table"</P> <PRE><CODE>School|Month|Subject_A_Score|Subject_B_Score SchoolA|January|0|20 SchoolB|January|50|99 SchoolC|January|11|88 ... </CODE></PRE> <P>has to be one event.</P> <P>You can do this by setting BREAK_ONLY_BEFORE for the sourcetype to a pattern that never match like (?!) and SHOULD_LINEMERGE to true. Depending on your file size (number of lines) you probably also need to increase MAX_EVENTS (default is 500).</P> <P>Sample sourcetype definition in props.conf:</P> <PRE><CODE>[schooldata] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE=(?!) MAX_EVENTS=10000 NO_BINARY_CHECK=1 </CODE></PRE> Wed, 08 May 2013 18:14:14 GMT https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97248#M97482 andreas 2013-05-08T18:14:14Z https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97249#M97483 <P>multikv.conf:</P> <PRE><CODE>[testmultikv] header.linecount = 1 header.tokens = _tokenize_, -1, "|" body.tokens = _tokenize_, 0, "|" </CODE></PRE> <P>props.conf</P> <PRE><CODE>[datav1] NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true pulldown_type = 1 BREAK_ONLY_BEFORE=(?!) MAX_EVENTS=100000 </CODE></PRE> <P>my data is:</P> <PRE><CODE>School|Month|SubjectA|SubjectB SchoolZ|January|0|20 SchoolX|January|50|99 SchoolM|January|11|88 </CODE></PRE> <P>my search is:</P> <PRE><CODE>index=multikv | multikv conf=testmultikv </CODE></PRE> <P>What I get is the first data row becomes the field. In 'interesting field' one items appears as SchoolZ|January|0|20.</P> Fri, 10 May 2013 05:17:04 GMT https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97249#M97483 Parameshwara 2013-05-10T05:17:04Z https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97250#M97484 <P>Is this line<BR /> School|Month|SubjectA|SubjectB<BR /> the first line in your data file? No empty line(s) before?</P> <P>How does your inputs.conf look like? (Did you use sourcetype=datav1?)</P> <P>What is the output of the search<BR /> index=multikv sourcetype=datav1<BR /> (should be one event containing all the data)</P> <P>and what is the output of<BR /> index=multikv sourcetype=datav1 | multikv conf=testmultikv | table School Month SubjectA SubjectB</P> <P>Which Splunk version are you using?</P> Fri, 10 May 2013 09:24:49 GMT https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97250#M97484 andreas 2013-05-10T09:24:49Z https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97251#M97485 <P>School|Month|SubjectA|SubjectB is the first line in my data and there are no empty lines before.</P> <P>my inputs.conf</P> <PRE><CODE>[monitor:///opt/testdata/multikv] disabled = false followTail = 0 host = datav1 index = multikv sourcetype = datav1 </CODE></PRE> <P>"index=multikv sourcetype=datav1" gives only 1 event which is the 4 lines of my data (1 header, 3 data)<BR /> &nbsp;</P> <P>"index=multikv sourcetype=datav1 | multikv conf=testmultikv | table School Month SubjectA SubjectB" gives "No results found"<BR /> &nbsp;</P> <P>I'm running Splunk 5.0.2, build 149561.</P> Mon, 13 May 2013 00:15:50 GMT https://community.splunk.com/t5/Getting-Data-In/multikv-conf-for-data-with-pipe-delimeter/m-p/97251#M97485 Parameshwara 2013-05-13T00:15:50Z