https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116868#M44331 <P>The following configuration worked for me: </P> <PRE><CODE>[multitest] header.start = "Timestamp" header.linecount = 1 header.tokens = _tokenize_, -1," | " body.tokens = _tokenize_, -1, " | " </CODE></PRE> <P>This will remove the hearder automatically from the results and then split each line into a separate event when using the following search sourcetype="multikvtest" | multikv conf=multitest </P> <P>If you want to filter the results further by field value, you will only be able to do so by piping to the search command </P> <P>Example: </P> <P><MYSEARCH> | multikv conf=multitest | search field=value </MYSEARCH></P> Mon, 28 Oct 2013 18:37:35 GMT RicoSuave 2013-10-28T18:37:35Z https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116867#M44330 <P>I have a custom scripted input generating output as follows which is being sucessfully indexed:</P> <P>Timestamp | Service_Description | Service_Name | Service_URI | Response_Time | HTTP_Code | Status | Fail_Reason<BR /> 2013-10-27T12-46-24 | abc.domain.com/Account/GetAPS | GetAPS | bus.domain.com:0000/Site/GetAPS.svc | 0.240 | 200 | Pass |<BR /> 2013-10-27T12-46-25 | abc.domain.com/Account/GetAPS2 | GetAPS2 | bus.domain.com:0000/Site/GetAPS2.svc | 0.340 | 200 | Pass |<BR /> 2013-10-27T12-46-26 | abc.domain.com/Account/GetAPS3 | GetAPS3 | bus.domain.com:0000/Site/GetAPS3.svc | 0.440 | 200 | Pass |<BR /> 2013-10-27T12-46-27 | abc.domain.com/Account/GetAPS4 | GetAPS4 | bus.domain.com:0000/Site/GetAPS4.svc | 0.540 | 200 | Pass |</P> <P>Based on advice from the answer to <A href="http://answers.splunk.com/answers/84134/multikvconf-for-data-with-pipe-delimeter" target="_blank">multikvconf for data with pipe delimeter</A> my config is as follows:</P> <P>inputs.conf</P> <P>[script://./bin/customscript.sh]<BR /> interval = 600<BR /> source = customscript.sh<BR /> index = customindex<BR /> sourcetype = custominput<BR /> disabled = 0</P> <P>multikv.conf</P> <P>[custommultikv]<BR /> header.tokens = Timestamp,Service_Description,Service_Name,Service_URI,Response_Time,HTTP_Code,Status,Fail_Reason<BR /> header.start = "Timestamp"<BR /> header.linecount = 1<BR /> header.tokens = <EM>tokenize</EM>, -1, "|"<BR /> body.tokens = <EM>tokenize</EM>, 0, "|"</P> <P>props.conf</P> <P>[hostname]<BR /> NO_BINARY_CHECK = 1<BR /> SHOULD_LINEMERGE = true<BR /> pulldown_type = 1<BR /> BREAK_ONLY_BEFORE=(?!)<BR /> MAX_EVENTS=100000</P> <P>The search that I am using is:</P> <P>index="customindex" | multikv conf=custommultikv forceheader=1</P> <P>The problem is that with or without * header.tokens * header.start * props.conf or * forceheader=1 the events are split but the fields are not created so the following, for example, returns no events:</P> <P>index="mswm_bpm_all_prod" splunk_server=dd894c3n12-9002 | multikv conf=ebcmultikv forceheader=1 | table Service_Description</P> Mon, 28 Sep 2020 15:05:47 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116867#M44330 YisroelB 2020-09-28T15:05:47Z https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116868#M44331 <P>The following configuration worked for me: </P> <PRE><CODE>[multitest] header.start = "Timestamp" header.linecount = 1 header.tokens = _tokenize_, -1," | " body.tokens = _tokenize_, -1, " | " </CODE></PRE> <P>This will remove the hearder automatically from the results and then split each line into a separate event when using the following search sourcetype="multikvtest" | multikv conf=multitest </P> <P>If you want to filter the results further by field value, you will only be able to do so by piping to the search command </P> <P>Example: </P> <P><MYSEARCH> | multikv conf=multitest | search field=value </MYSEARCH></P> Mon, 28 Oct 2013 18:37:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116868#M44331 RicoSuave 2013-10-28T18:37:35Z https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116869#M44332 <P>Thank you. Adding the spaces before and after the pipe (delimiter) and changing -1 to 0 in body.tokens worked like a charm.</P> <P>It was a revelation though, that the fields do not show up in the field picker until you use another command after multikv like table etc (they show up imediately for bult-in multikv support like ps and top etc).</P> Mon, 28 Oct 2013 21:50:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/multikv-custom-scripted-input-not-mapping-headers/m-p/116869#M44332 YisroelB 2013-10-28T21:50:19Z