Archive
Highlighted

multikv field extraction

Explorer

Hello, How do i use multikv to extract fields that have % or / in them ? I'm unable to extract if it has those characters (% or /) in them.

For example : in below

                 extended device statistics              
r/s    w/s   kr/s   kw/s wait actv wsvc_t asvc_t  %w  %b device
2.5    2.1   33.3    6.6  0.0  0.1    0.0   25.7   0   4 c1t0d0
0.0    0.0    0.0    0.0  0.0  0.0    0.0    1.7   0   0 c0t0d0

host=solaris-rao Options| sourcetype=Solaris_iostat Options| source=script Options

I'm able to run sourcetype="Solaris_iostat" | multikv fields device asvc_t and get my fields extracted.

But if run same with : sourcetype="Solaris_iostat" | multikv fields device %b (or kw/s), fields are not getting extracted. Is there something i need to provide to extract those fields ?

thanks pmr

Tags (1)
Highlighted

Re: multikv field extraction

Splunk Employee
Splunk Employee

multikv simply drops non-word characters from the beginning of field names, and replaces non-words characters in the middle and end of field names with underscores. You can just use b and kw_s. If you are unsure, you simply omit the fields argument to multikv, it will just extract what it can, and you can inspect the resulting field names.

Highlighted

Re: multikv field extraction

Explorer

ah..great. it works now, thanks much. - pmr

0 Karma