https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225982#M66642 <P>Have a look at multikv command<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Multikv">http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Multikv</A></P> <P>usage</P> <P>your base search | multikv</P> Wed, 10 Aug 2016 23:28:40 GMT somesoni2 2016-08-10T23:28:40Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225980#M66640 <P>All, </P> <P>So I am playing with the netstat feature in Splunk for Unix. There does not seem to be field extractions for the columns in Netstat. </P> <P>Output look something like this from the netstat.sh command<BR /> Proto Recv-Q Send-Q LocalAddress ForeignAddress State<BR /> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN<BR /> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN<BR /> tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN<BR /> tcp 0 0 0.0.0.0:49085 0.0.0.0:* LISTEN</P> <P>Any idea where I could start with this? </P> Wed, 10 Aug 2016 22:51:10 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225980#M66640 daniel333 2016-08-10T22:51:10Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225981#M66641 <P>You can create your own extraction. Make this change on the search head</P> <P>*<STRONG><EM>props.conf</EM></STRONG>*</P> <PRE><CODE>[appropriate_stanza_name] FIELD_HEADER_REGEX=(proto.*) HEADER_FIELD_DELIMITER=" " FIELD_DELIMITER=" " </CODE></PRE> Wed, 10 Aug 2016 23:14:17 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225981#M66641 sundareshr 2016-08-10T23:14:17Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225982#M66642 <P>Have a look at multikv command<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Multikv">http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Multikv</A></P> <P>usage</P> <P>your base search | multikv</P> Wed, 10 Aug 2016 23:28:40 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225982#M66642 somesoni2 2016-08-10T23:28:40Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225983#M66643 <P>Thanks a lot for this suggestion! I was researching the same problem as the OP today for an urgent monitor. multikv worked perfectly and saved me hours of time!</P> Thu, 11 Aug 2016 15:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-on-the-command-Netstat-command/m-p/225983#M66643 brettbird80 2016-08-11T15:35:56Z