All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting Fields Value

nilampakhare
New Member
‎08-13-2013 09:41 PM

Jul 16 21:54:45 Phase 0 ended (692 seconds)

CPU Time Status Skew Vertex

0.033 [ : 1] 0% Audit.Gather_Logs

0.097 [ : 1] 0% Audit.Start_Process_Step_Phase5_Run_SQL

5.409 [ :12] 0% DLY_INT_Processed_format

1.433 [ :12] 0% FUNC_INT_Processed_format

3.482 [ :12] 0% Filter_non_func_records

6.751 [ :12] 0% PTD_INT_Processed_format

16.066 [ :12] 0% Partition_and_Re_Sort_by_Firm_Acct_DLY.Partition_by_Key

Here in the above index i m not able to extract CPU Time that is all the values ...Only few of the values are being extracted like 0.033 and 0.097..Here I m not able to extract the complete set of values ..Please have a glance..

0 Karma
Reply

MarioM
Motivator
‎08-14-2013 01:30 AM

Have you tried:

... | multikv fields "CPU Time" "Status" "Skew Vertex"
0 Karma
Reply

linu1988
Champion
‎08-14-2013 03:19 AM

If you are not having field names, you can use _raw for calculation.

You can make a |mvexpand _raw|rex field=_raw "?\d+.\d+"

Reply

MarioM
Motivator
‎08-14-2013 03:00 AM

it will depends on the original format of the data and the format in splunk...
You can try "... | multikv forceheader=2" 2 being the line number of the fields name as you see in splunk.
If still not working you can configure a multikv.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Multikvconf

0 Karma
Reply

nilampakhare
New Member
‎08-14-2013 01:57 AM

But for using multikv ..I need to extract the fields such as CPU Time ,Status ,etc ..r8 ?? In this case I am not able to extract the fields itself ...Can u please guide me through this..

0 Karma
Reply

lcrielaa
Communicator
‎08-14-2013 01:21 AM

"^\d+.\d+" as a regex will match any (1 or more) digit(s), then a period (.) and then another (1 or more) digit(s) at the beginning of a line.

0 Karma
Reply

kml_uvce
Builder
‎08-14-2013 01:16 AM

can you try this...

your search |rex "(?i)^(?P[^ ]+)" |table field_name

0 Karma
Reply

kml_uvce
Builder
‎08-14-2013 03:33 AM

If I understand, you want to extract CPU time values (0.033, 0.097,5.409 etc) in a field and each line in above data is an event, in query you will get field_name with these values...
your search |rex "(?i)^(?P[^ ]+)" |table cpu_time

0 Karma
Reply

nilampakhare
New Member
‎08-14-2013 01:54 AM

Here in this example I am not able to extract the values only for CPU Time...So here in this query in place of field_name , what do I need to mention ???

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...