Archive

multikv not extracting fields

Path Finder

Hi,

I have created a scripted source which genereates the following output:

   idx_size_kB  idx
24  aaa
24  aaa_sum
2364    appserver
8260716 audit
4   authDb
24  blockSignature
4   bonnie
59894276    defaultdb
324 fishbucket
8   hashDb
356468  hdm
24  hdm_sum
24  historydb
177152  _internaldb

As you see it's a simple du -sk on the indexing DB directory of splunk. When I try to do a timechart over one of the values the multikv doesn't generate any field. Also playing with the field picker does not work. Any ideas how can I pick two fields here: "idx_size_kB" and "idx"??

index= source=du_idx | multikv - and there are no fields generated. Is it because the values are shifted in eac line??

Regards,
Bartosz

Tags (1)
0 Karma
1 Solution

Path Finder

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post

Path Finder

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post