Suppose I have a table like this:
_time ClientX:raw_value ClientX:score ClientX:state ClientY:raw_value ClientY:score ClientY:state 18:00 5 3 1 11 2 0
This table came from using the R-app for number crunching, but now I want to use Splunk for different visualizations. For example, I may want to use the search:
chart sum(score) over _time by Client
You're looking for the
multikv command ! Literally: Extracts field-values from table-formatted events.
Just pipe to multikv like this
... | multikv | chart sum(score) over _time by Client
Alternatively, specify which fields you'd like to extract as a list of field names after multikv,
... | multikv score Client | chart...
Extracts fields from events with information in a tabular format (e.g. top, netstat, ps, ... etc). A new event will be created for each table row. Field names will be derived from the title row of the table.
An example of the type of data multikv is designed to handle:
Name Age Occupation Josh 42 SoftwareEngineer Francine 35 CEO Samantha 22 ProjectManager
The key properties here are:
Did @aljohnson_splunk's answer below solve your question? If yes, be sure to accept his answer by clicking "Accept" just below his answer. If not, please let him know.