Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting or breaking values out of a _raw line for better visualisation/monitoring

lemikg
Communicator
‎01-30-2013 07:56 AM

Hi everybody,

I am just getting started "splunking" and have done the tutorial so far, However, for my next report I want to query values from sourcetype="interfaces" and field _raw, which has several data sets. This is what I got:

Name MAC inetAddr Collisions RXbytes TXbytes Speed Duplex bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51xxxx98 720xx11409   em1 E0:xx:56:xx:xx:84   0 41102617 7203522xx1 1000Mb/s full em2 E0:xx:56:xx:xx:84   0 998xx07 0 1000Mb/s full

I want to be able to extract the fields and the associated values in order to table them accordingly.

1/30/13

4:13:19.000 PM


Name       MAC                inetAddr         inet6Addr                                  Collisions  RXbytes          TXbytes          Speed        Duplex

bond0      E0:xx:56:xx:xx:84  19x.1xx.1xx.xx   fe80::e2xx:xxff:fexx:6fxx/xx               0           51080098         7203511409               


em1        E0:xx:56:xx:xx:84                                                    0           41102617         7203522971       1000Mb/s     full


em2        E0:xx:56:xx:xx:84                                                    0           9981407          0                1000Mb/s     full

I tried field extraction (propably not quite right) due to the restrictions I get as soon as there are more than one MAC Address.

I hope I was able to describe the problem. Could anyone point me at the right direction?
I appreciate your help.

Best regards from Germany,

Mike

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lemikg
Communicator
‎01-30-2013 08:20 AM

I think I just found the answer

sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes

Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lemikg
Communicator
‎01-30-2013 08:20 AM

I think I just found the answer

sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes

Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...