Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- multikv extraction fails when table contains empty...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multikv extraction fails when table contains empty fields
Hi,
I am trying to use multikv to parse the output of df.sh, which is part of the *nix application. On Solaris, the output of df.sh looks like this:
Filesystem Type Size Used Avail UsePct MountedOn
/dev/md/dsk/d15 ufs 9.6G 3.8G 5.7G 40% /
sharefs sharefs 0K 0K 0K 0% /etc/dfs/sharetab
10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01 1.5T 1.3T 214G 86% /logpool/logs/archive_global
Using multikv against this table results in the following mapping for the last line (NFS mount), due to an empty/null entry for Type:
Filesystem: 10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01
Type: 1.5T
Size: 1.3T
Used: 214G
Avail: 86%
UsePct: /logpool/logs/archive_global
MountedOn: <null>
All other rows extract correctly, given that they have a value for Type.
So, how can I get multikv to extract the fields correctly for all rows?
Regards,
Brett.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Is there any workaround in multikv.conf, column with missing values are being assigned values from next header with values..
Subsystem/Job User Number User Type Pool Pty CPU Int Rsp AuxIO CPU% Function Status Threads
JDENET_K ONEWORLD 01267 ONEWORLD BCI 8 20 15884.2 1 1.9 jvmStart DEQW 33
QSRVERR QUSER 00129 ONEWORLD PJ 2 20 18277.8 3832 .9 CNDW 1
Int & Rsp are blank & get values of AuxIO & CPU% respectively
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like a bug in df.sh on Solaris. What specific version of Solaris? Let us know and we will try to fix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I have filed NIX-317 and will update you when I have more information on the fix. It seems like we can just put "null" in the type column when we aren't able to discern the fs type.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And df.sh:
% df.sh
Filesystem Type Size Used Avail UsePct MountedOn
/dev/md/dsk/d15 ufs 9.6G 3.8G 5.7G 41% /
10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01 1.5T 1.3T 205G 87% /logpool/logs/archive_global
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solaris 10. Here is some (edited) output, due to the character limit of replies.
% df -n
/ : ufs
/logpool/logs/archive_global: nfs
% df -h
Filesystem size used avail capacity Mounted on
/dev/md/dsk/d15 9.6G 3.8G 5.7G 41% /
10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01
1.5T 1.3T 205G 87% /logpool/logs/archive_global
If I can ever get this site to let me post the full output, I will.
Rgds,
Brett.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please post the search query used? I have checked multikv was working ...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
