Getting Data In

Filtering out header-only "events" after using MultiKV

Path Finder

I've been tweaking the *NIX app by adding some charts with queries such as:

index="os" sourcetype="who" host=$host$ | multikv | timechart count by USERNAME

The resulting chart has a large number of events where the USERNAME is NULL. This appears to be because the MultiKV command only filters out the header when there is a body in the event. If the "who" event only contains a header the MultiKV leaves it in the result set as an event.

What is the best way to get rid of these unwanted header "events"? I would prefer to index them, as then there is a contiguous record from the who script. I could use

index="os" sourcetype="who" | multikv | search _raw!="*USERNAME        LINE        HOSTNAME                                  TIME*"

however there are likely many other similar situations so a more generic solution would be helpful.

Is there a better way?


Tags (2)

Path Finder

I've upgraded to 4.2 and will try again with the universal forwarder as soon as I get a chance. Stay tuned!

Splunk Employee
Splunk Employee

I just don't get this behavior. multikv for me simply doesn't return the header rows, so I don't get this problem.

Splunk Employee
Splunk Employee

a slightly better approach would be:

index="os" sourcetype="who" host=$host$ | multikv | search USERNAME=* | timechart count by USERNAME

basically filter out all results that are missing the USERNAME field

Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...