All Apps and Add-ons

Extracting Fields Value

New Member

Jul 16 21:54:45 Phase 0 ended (692 seconds)

CPU Time Status Skew Vertex

0.033 [ : 1] 0% Audit.Gather_Logs

0.097 [ : 1] 0% Audit.Start_Process_Step_Phase5_Run_SQL

5.409 [ :12] 0% DLY_INT_Processed_format

1.433 [ :12] 0% FUNC_INT_Processed_format

3.482 [ :12] 0% Filter_non_func_records

6.751 [ :12] 0% PTD_INT_Processed_format

16.066 [ :12] 0% Partition_and_Re_Sort_by_Firm_Acct_DLY.Partition_by_Key

Here in the above index i m not able to extract CPU Time that is all the values ...Only few of the values are being extracted like 0.033 and 0.097..Here I m not able to extract the complete set of values ..Please have a glance..

0 Karma

Motivator

Have you tried:

... | multikv fields "CPU Time" "Status" "Skew Vertex" 
0 Karma

Champion

If you are not having field names, you can use _raw for calculation.

You can make a |mvexpand _raw|rex field=_raw "?\d+.\d+"

Motivator

it will depends on the original format of the data and the format in splunk...
You can try "... | multikv forceheader=2" 2 being the line number of the fields name as you see in splunk.
If still not working you can configure a multikv.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Multikvconf

0 Karma

New Member

But for using multikv ..I need to extract the fields such as CPU Time ,Status ,etc ..r8 ?? In this case I am not able to extract the fields itself ...Can u please guide me through this..

0 Karma

Communicator

"^\d+.\d+" as a regex will match any (1 or more) digit(s), then a period (.) and then another (1 or more) digit(s) at the beginning of a line.

0 Karma

Builder

can you try this...

your search |rex "(?i)^(?P[^ ]+)" |table field_name

0 Karma

Builder

If I understand, you want to extract CPU time values (0.033, 0.097,5.409 etc) in a field and each line in above data is an event, in query you will get field_name with these values...
your search |rex "(?i)^(?P[^ ]+)" |table cpu_time

0 Karma

New Member

Here in this example I am not able to extract the values only for CPU Time...So here in this query in place of field_name , what do I need to mention ???

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!