topic Re: multikv on raw data (row timestamp) in Splunk Search

multikv on raw data (row timestamp)

minkyuk — Wed, 08 Jul 2015 14:51:13 GMT

Hello-
I'll jump into the main part.

Here is a snippet:
Tue 2015 15:00:23
ZGD-OCU-QQQ
POS-BKD-AKD
COK-ZPP-AKF

DISK-------USAGE-------HOST

My multikv extraction thinks "ZGD-OCU-QQQ" is my "fields".
It definitely is correctly extracting the information, but I'm trying to find a way to skip 3 lines-rows- after the timestamp to extract correct fields.

I would appreciate any help..!
J

Re: multikv on raw data (row timestamp)

richgalloway — Wed, 08 Jul 2015 15:36:04 GMT

Try ... | multikv start_line=4 .... Adjust the start_line value as necessary.

Re: multikv on raw data (row timestamp)

minkyuk — Wed, 08 Jul 2015 18:48:05 GMT

I still need to read the first line to record the Timestamp, however.

Could I use any variation?

Re: multikv on raw data (row timestamp)

richgalloway — Wed, 08 Jul 2015 18:52:51 GMT

Use rex to extract the timestamp before using multikv on the rest.