topic Re: How multivalue of field can be extracted in the below mentioned event , all the events are in the same format, any solution/query ? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486158#M136027 <P>That is the whole point of <CODE>multikv</CODE>:</P> <PRE><CODE>|makeresults | eval _raw="Filesystem Type Size Used Avail UsePct MountedOn /dev/mapper/rootvg-rootlv ext3 6.0G 4.3G 1.4G 77% / /dev/sda1 ext3 194M 78M 107M 43% /boot /dev/mapper/rootvg-home_lv ext3 2.0G 528M 1.4G 28% /local_home /dev/mapper/rootvg-opt_lv ext3 6.0G 1.2G 4.5G 21% /opt /dev/mapper/rootvg-tmp_lv ext3 2.0G 230M 1.7G 13% /tmp /dev/mapper/rootvg-usr_lv ext3 2.0G 116M 1.8G 7% /usr/local /dev/mapper/rootvg-var_lv ext3 4.0G 1.4G 2.4G 37% /var /dev/mapper/rootvg-history_lv ext3 2.0G 68M 1.9G 4% /history_logs /dev/mapper/rootvg-itm_lv ext3 3.0G 608M 2.3G 22% /opt/IBM/ITM /dev/mapper/appvg-apps_lv ext3 32G 177M 30G 1% /apps /dev/mapper/appvg-usr_apigee_lv ext3 197G 485M 187G 1% /usr/apigee /dev/mapper/appvg-apilogs_lv ext3 20G 173M 19G 1% /apilogs /dev/mapper/appvg-Introscope_lv ext3 3.0G 69M 2.8G 3% /Introscope /dev/mapper/rootvg-venafi_lv ext4 976M 1.3M 924M 1% /venafi /dev/mapper/appvg-opt_apigee_lv ext4 197G 8.9G 178G 5% /opt/apigee" | multikv forceheader=1 copyattrs=t </CODE></PRE> Sun, 17 Nov 2019 01:30:34 GMT woodcock 2019-11-17T01:30:34Z How multivalue of field can be extracted in the below mentioned event , all the events are in the same format, any solution/query ? https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486156#M136025 <P>Filesystem Type Size Used Avail UsePct MountedOn<BR /> /dev/mapper/rootvg-rootlv ext3 6.0G 4.3G 1.4G 77% /<BR /> /dev/sda1 ext3 194M 78M 107M 43% /boot<BR /> /dev/mapper/rootvg-home_lv ext3 2.0G 528M 1.4G 28% /local_home<BR /> /dev/mapper/rootvg-opt_lv ext3 6.0G 1.2G 4.5G 21% /opt<BR /> /dev/mapper/rootvg-tmp_lv ext3 2.0G 230M 1.7G 13% /tmp<BR /> /dev/mapper/rootvg-usr_lv ext3 2.0G 116M 1.8G 7% /usr/local<BR /> /dev/mapper/rootvg-var_lv ext3 4.0G 1.4G 2.4G 37% /var<BR /> /dev/mapper/rootvg-history_lv ext3 2.0G 68M 1.9G 4% /history_logs<BR /> /dev/mapper/rootvg-itm_lv ext3 3.0G 608M 2.3G 22% /opt/IBM/ITM<BR /> /dev/mapper/appvg-apps_lv ext3 32G 177M 30G 1% /apps<BR /> /dev/mapper/appvg-usr_apigee_lv ext3 197G 485M 187G 1% /usr/apigee<BR /> /dev/mapper/appvg-apilogs_lv ext3 20G 173M 19G 1% /apilogs<BR /> /dev/mapper/appvg-Introscope_lv ext3 3.0G 69M 2.8G 3% /Introscope<BR /> /dev/mapper/rootvg-venafi_lv ext4 976M 1.3M 924M 1% /venafi<BR /> /dev/mapper/appvg-opt_apigee_lv ext4 197G 8.9G 178G 5% /opt/apigee</P> Wed, 30 Sep 2020 03:00:00 GMT https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486156#M136025 Rakesh_597 2020-09-30T03:00:00Z Re: How multivalue of field can be extracted in the below mentioned event , all the events are in the same format, any solution/query ? https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486157#M136026 <PRE><CODE>| makeresults | eval _raw="Filesystem,Type,Size,Used,Avail,UsePct,MountedOn /dev/mapper/rootvg-rootlv,ext3,6.0G,4.3G,1.4G,77%,/ /dev/sda1,ext3,194M,78M,107M,43%,/boot /dev/mapper/rootvg-home_lv,ext3,2.0G,528M,1.4G,28%,/local_home /dev/mapper/rootvg-opt_lv,ext3,6.0G,1.2G,4.5G,21%,/opt /dev/mapper/rootvg-tmp_lv,ext3,2.0G,230M,1.7G,13%,/tmp /dev/mapper/rootvg-usr_lv,ext3,2.0G,116M,1.8G,7%,/usr/local /dev/mapper/rootvg-var_lv,ext3,4.0G,1.4G,2.4G,37%,/var /dev/mapper/rootvg-history_lv,ext3,2.0G,68M,1.9G,4%,/history_logs /dev/mapper/rootvg-itm_lv,ext3,3.0G,608M,2.3G,22%,/opt/IBM/ITM /dev/mapper/appvg-apps_lv,ext3,32G,177M,30G,1%,/apps /dev/mapper/appvg-usr_apigee_lv,ext3,197G,485M,187G,1%,/usr/apigee /dev/mapper/appvg-apilogs_lv,ext3,20G,173M,19G,1%,/apilogs /dev/mapper/appvg-Introscope_lv,ext3,3.0G,69M,2.8G,3%,/Introscope /dev/mapper/rootvg-venafi_lv,ext4,976M,1.3M,924M,1%,/venafi /dev/mapper/appvg-opt_apigee_lv,ext4,197G,8.9G,178G,5%,/opt/apigee" | multikv forceheader=1 | table Filesystem,Type,Size,Used,Avail,UsePct,MountedOn </CODE></PRE> <P>Multiple values?<BR /> Do you mean you want to summarize by type?</P> Sun, 17 Nov 2019 00:24:43 GMT https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486157#M136026 to4kawa 2019-11-17T00:24:43Z Re: How multivalue of field can be extracted in the below mentioned event , all the events are in the same format, any solution/query ? https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486158#M136027 <P>That is the whole point of <CODE>multikv</CODE>:</P> <PRE><CODE>|makeresults | eval _raw="Filesystem Type Size Used Avail UsePct MountedOn /dev/mapper/rootvg-rootlv ext3 6.0G 4.3G 1.4G 77% / /dev/sda1 ext3 194M 78M 107M 43% /boot /dev/mapper/rootvg-home_lv ext3 2.0G 528M 1.4G 28% /local_home /dev/mapper/rootvg-opt_lv ext3 6.0G 1.2G 4.5G 21% /opt /dev/mapper/rootvg-tmp_lv ext3 2.0G 230M 1.7G 13% /tmp /dev/mapper/rootvg-usr_lv ext3 2.0G 116M 1.8G 7% /usr/local /dev/mapper/rootvg-var_lv ext3 4.0G 1.4G 2.4G 37% /var /dev/mapper/rootvg-history_lv ext3 2.0G 68M 1.9G 4% /history_logs /dev/mapper/rootvg-itm_lv ext3 3.0G 608M 2.3G 22% /opt/IBM/ITM /dev/mapper/appvg-apps_lv ext3 32G 177M 30G 1% /apps /dev/mapper/appvg-usr_apigee_lv ext3 197G 485M 187G 1% /usr/apigee /dev/mapper/appvg-apilogs_lv ext3 20G 173M 19G 1% /apilogs /dev/mapper/appvg-Introscope_lv ext3 3.0G 69M 2.8G 3% /Introscope /dev/mapper/rootvg-venafi_lv ext4 976M 1.3M 924M 1% /venafi /dev/mapper/appvg-opt_apigee_lv ext4 197G 8.9G 178G 5% /opt/apigee" | multikv forceheader=1 copyattrs=t </CODE></PRE> Sun, 17 Nov 2019 01:30:34 GMT https://community.splunk.com/t5/Splunk-Search/How-multivalue-of-field-can-be-extracted-in-the-below-mentioned/m-p/486158#M136027 woodcock 2019-11-17T01:30:34Z