Archive
Highlighted

multikv on raw data (row timestamp)

Explorer

Hello-
I'll jump into the main part.

Here is a snippet:
Tue 2015 15:00:23
ZGD-OCU-QQQ
POS-BKD-AKD
COK-ZPP-AKF

DISK-------USAGE-------HOST

My multikv extraction thinks "ZGD-OCU-QQQ" is my "fields".
It definitely is correctly extracting the information, but I'm trying to find a way to skip 3 lines-rows- after the timestamp to extract correct fields.

I would appreciate any help..!
J

Tags (1)
0 Karma
Highlighted

Re: multikv on raw data (row timestamp)

SplunkTrust
SplunkTrust

Try ... | multikv start_line=4 .... Adjust the start_line value as necessary.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: multikv on raw data (row timestamp)

Explorer

I still need to read the first line to record the Timestamp, however.

Could I use any variation?

0 Karma
Highlighted

Re: multikv on raw data (row timestamp)

SplunkTrust
SplunkTrust

Use rex to extract the timestamp before using multikv on the rest.

---
If this reply helps you, an upvote would be appreciated.
0 Karma