- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Extracting Fields Value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting Fields Value
Jul 16 21:54:45 Phase 0 ended (692 seconds)
CPU Time Status Skew Vertex
0.033 [ : 1] 0% Audit.Gather_Logs
0.097 [ : 1] 0% Audit.Start_Process_Step_Phase5_Run_SQL
5.409 [ :12] 0% DLY_INT_Processed_format
1.433 [ :12] 0% FUNC_INT_Processed_format
3.482 [ :12] 0% Filter_non_func_records
6.751 [ :12] 0% PTD_INT_Processed_format
16.066 [ :12] 0% Partition_and_Re_Sort_by_Firm_Acct_DLY.Partition_by_Key
Here in the above index i m not able to extract CPU Time that is all the values ...Only few of the values are being extracted like 0.033 and 0.097..Here I m not able to extract the complete set of values ..Please have a glance..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried:
... | multikv fields "CPU Time" "Status" "Skew Vertex"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are not having field names, you can use _raw for calculation.
You can make a |mvexpand _raw|rex field=_raw "?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it will depends on the original format of the data and the format in splunk...
You can try "... | multikv forceheader=2" 2 being the line number of the fields name as you see in splunk.
If still not working you can configure a multikv.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Multikvconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But for using multikv ..I need to extract the fields such as CPU Time ,Status ,etc ..r8 ?? In this case I am not able to extract the fields itself ...Can u please guide me through this..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"^\d+.\d+" as a regex will match any (1 or more) digit(s), then a period (.) and then another (1 or more) digit(s) at the beginning of a line.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try this...
your search |rex "(?i)^(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand, you want to extract CPU time values (0.033, 0.097,5.409 etc) in a field and each line in above data is an event, in query you will get field_name with these values...
your search |rex "(?i)^(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here in this example I am not able to extract the values only for CPU Time...So here in this query in place of field_name , what do I need to mention ???
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
