multikv not extracting table

SapthagiriAavik · ‎08-13-2018

i have a unix system log information as tables in events.every event have 4 column and 10 rows. i want to extract all the row information in to 4 fields. but header and value row structure is different, i tried multikv with noheader/force header and regex still im not able get desired result.

Table Structure
.......\s...........\s................\s............\s...... (Header row of Table) separator: space
.......\t...........\t................\t............\t...... (Rest of the rows in Table) separator: tab

CPU pctUser PctSystem pctIowait pctIdle
0 32 62 0 6
2 52 82 0 7
...
...

while using noheader=true , i'm getting only second row of each table.

Is there any way to get all of the row info to corresponding field.

sdchakraborty · ‎11-13-2018

Hi,
Can you please add multikv.conf file with below stanza in $SPLUNK_HOME/etc/system/local/ directory and run the search provided below,

[tab_mkv]
header.start = "CPU"
header.linecount = 1
header.tokens = _tokenize_, -1," "
body.tokens = _tokenize_,-1, "  "

index=<index name> | multikv conf=tab_mkv

multikv not extracting table

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

multikv not extracting table

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers