All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting Fields Value

nilampakhare
New Member
‎08-13-2013 09:41 PM

Jul 16 21:54:45 Phase 0 ended (692 seconds)

CPU Time Status Skew Vertex

0.033 [ : 1] 0% Audit.Gather_Logs

0.097 [ : 1] 0% Audit.Start_Process_Step_Phase5_Run_SQL

5.409 [ :12] 0% DLY_INT_Processed_format

1.433 [ :12] 0% FUNC_INT_Processed_format

3.482 [ :12] 0% Filter_non_func_records

6.751 [ :12] 0% PTD_INT_Processed_format

16.066 [ :12] 0% Partition_and_Re_Sort_by_Firm_Acct_DLY.Partition_by_Key

Here in the above index i m not able to extract CPU Time that is all the values ...Only few of the values are being extracted like 0.033 and 0.097..Here I m not able to extract the complete set of values ..Please have a glance..

0 Karma
Reply

MarioM
Motivator
‎08-14-2013 01:30 AM

Have you tried:

... | multikv fields "CPU Time" "Status" "Skew Vertex"
0 Karma
Reply

linu1988
Champion
‎08-14-2013 03:19 AM

If you are not having field names, you can use _raw for calculation.

You can make a |mvexpand _raw|rex field=_raw "?\d+.\d+"

Reply

MarioM
Motivator
‎08-14-2013 03:00 AM

it will depends on the original format of the data and the format in splunk...
You can try "... | multikv forceheader=2" 2 being the line number of the fields name as you see in splunk.
If still not working you can configure a multikv.conf http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Multikvconf

0 Karma
Reply

nilampakhare
New Member
‎08-14-2013 01:57 AM

But for using multikv ..I need to extract the fields such as CPU Time ,Status ,etc ..r8 ?? In this case I am not able to extract the fields itself ...Can u please guide me through this..

0 Karma
Reply

lcrielaa
Communicator
‎08-14-2013 01:21 AM

"^\d+.\d+" as a regex will match any (1 or more) digit(s), then a period (.) and then another (1 or more) digit(s) at the beginning of a line.

0 Karma
Reply

kml_uvce
Builder
‎08-14-2013 01:16 AM

can you try this...

your search |rex "(?i)^(?P[^ ]+)" |table field_name

kamal singh bisht
0 Karma
Reply

kml_uvce
Builder
‎08-14-2013 03:33 AM

If I understand, you want to extract CPU time values (0.033, 0.097,5.409 etc) in a field and each line in above data is an event, in query you will get field_name with these values...
your search |rex "(?i)^(?P[^ ]+)" |table cpu_time

kamal singh bisht
0 Karma
Reply

nilampakhare
New Member
‎08-14-2013 01:54 AM

Here in this example I am not able to extract the values only for CPU Time...So here in this query in place of field_name , what do I need to mention ???

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...