Archive

multikv not extracting fields

Path Finder

Hi,

I have created a scripted source which genereates the following output:

   idx_size_kB  idx
24  aaa
24  aaa_sum
2364    appserver
8260716 audit
4   authDb
24  blockSignature
4   bonnie
59894276    defaultdb
324 fishbucket
8   hashDb
356468  hdm
24  hdm_sum
24  historydb
177152  _internaldb

As you see it's a simple du -sk on the indexing DB directory of splunk. When I try to do a timechart over one of the values the multikv doesn't generate any field. Also playing with the field picker does not work. Any ideas how can I pick two fields here: "idx_size_kB" and "idx"??

index= source=du_idx | multikv - and there are no fields generated. Is it because the values are shifted in eac line??

Regards,
Bartosz

Tags (1)
0 Karma
1 Solution

Path Finder

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post

Path Finder

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!