topic Re: How to extract multivalue fields in Splunk and the events in tabular format? in Splunk Search

How to extract multivalue fields in Splunk and the events in tabular format?

Shashank_87 — Wed, 01 May 2019 15:12:32 GMT

Hi, I have one OS index in Splunk where i get the raw data in a tabular format like below. Now I need to extract these fields like PID and that too only for the "java" COMMAND.

PID  USER              PR    NI    VIRT     RES     SHR   S  pctCPU  pctMEM       cpuTIME  COMMAND
  7195  user              20     0   1361m     74m     15m   S    25.1     0.3      57:32.41  oneagentos
  7240  api               20     0   14.1g    1.9g     35m   S     5.8     8.1      62:42.81  java
  9717  api               20     0   14.1g    1.8g     35m   S     3.9     7.8      61:00.56  java
  3882  user1              20     0   1530m     34m    8584   S     1.9     0.1     212:28.61  python

I would need this data in a lookup because I need to ingest it into another instance of Splunk to compare the charts.
Can someone help me extracting these fields and how can i export those to another Splunk?

Re: How to extract multivalue fields in Splunk and the events in tabular format?

landen99 — Wed, 01 May 2019 15:52:31 GMT

Use multikv:

| stats count | eval _raw="PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND
7195 user 20 0 1361m 74m 15m S 25.1 0.3 57:32.41 oneagentos
7240 api 20 0 14.1g 1.9g 35m S 5.8 8.1 62:42.81 java
9717 api 20 0 14.1g 1.8g 35m S 3.9 7.8 61:00.56 java
3882 user1 20 0 1530m 34m 8584 S 1.9 0.1 212:28.61 python" | table _raw
| multikv

For your example:

index=os | multikv | outputlookup yourlookup.csv

Re: How to extract multivalue fields in Splunk and the events in tabular format?

lakshman239 — Wed, 01 May 2019 16:23:16 GMT

On your 1st instance, you could do something like this to extract pids to a file.

    index=os | rex field=_raw  " ^(?<java_pid>\d+)\s.*java$"| table java_pid | eval status ="java" | fields java_pid, status | outputlookup java_pid_status.csv

On the second instance, you can then use this lookup to compare

Re: How to extract multivalue fields in Splunk and the events in tabular format?

Shashank_87 — Thu, 02 May 2019 08:39:32 GMT

Hi, I dont think this rex is correct as it is not working.

Re: How to extract multivalue fields in Splunk and the events in tabular format?

Shashank_87 — Thu, 02 May 2019 08:48:16 GMT

Hi Landen, Thanks for your response.
Using this I am not able to see _time field. So basically my ultimate goal is to plot 2 charts (line graphs) in same splunk. Now the 2nd chart will consist of this index=os data. So i was thinking of exporting the PID and time values from this splunk to other splunk and then plot the chart against time.
Does this make sense?

Re: How to extract multivalue fields in Splunk and the events in tabular format?

lakshman239 — Thu, 02 May 2019 09:58:12 GMT

could you pls check now and also review/amend as needed for your event - https://regex101.com/r/lcAZF0/2

Re: How to extract multivalue fields in Splunk and the events in tabular format?

landen99 — Thu, 02 May 2019 17:18:36 GMT

The SPL posted was just an example to show the command "multikv" in action. For your data, your SPL would probably like this:

index=os | multikv

Re: How to extract multivalue fields in Splunk and the events in tabular format?

Shashank_87 — Wed, 08 May 2019 10:26:16 GMT

It worked thanks.