Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

KV_MODE = multi not capturing fields

jamesvz84
Communicator
‎06-02-2014 01:09 PM

I am using the splunk for unix app and the KV_MODE = multi entry in props.conf is not working. For example, I am still getting the raw output of cpu.sh:

CPU    pctUser    pctNice  pctSystem  pctIowait    pctIdle
all       0.17       4.16       0.25       0.00      95.42
0         1.00       0.00       1.00       0.00      98.00
1         0.00      99.01       0.99       0.00       0.00
2         0.00       0.00       0.00       0.00     100.00
3         0.00       0.00       0.00       0.00     100.00
4         0.00       0.00       1.00       0.00      99.00
5         0.00       0.00       0.00       0.00     100.00
6         0.00       0.00       0.00       0.00     100.00
7         0.00       0.00       0.00       0.00     100.00
8         0.00       0.00       0.00       0.00     100.00
9         0.00       0.00       0.00       0.00     100.00
10        0.00       0.00       1.00       0.00      99.00
11        0.00       0.00       0.00       0.00     100.00
12        0.00       0.00       0.00       0.00     100.00
13        0.99       0.00       0.00       0.00      99.01
14        0.00       0.00       0.00       0.00     100.00
15        0.99       0.00       0.99       0.00      98.02
16        0.99       0.00       0.99       0.00      98.02
17        0.00       0.00       0.99       0.00      99.01
18        0.00       0.00       0.00       0.00     100.00
19        0.00       0.00       1.00       0.00      99.00
20        0.00       0.00       0.00       0.00     100.00
21        0.00       0.00       0.00       0.00     100.00
22        0.00       0.00       0.99       0.00      99.01
23        0.99       0.00       0.00       0.00      99.01

Here is my currect config in props.conf:

[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
CHECK_FOR_HEADER = true
FIELDALIAS-dest_for_cpu = host as dest
FIELDALIAS-src_for_cpu = host as src
FIELDALIAS-cpu_for_cpu = CPU as cpu
FIELDALIAS-idle_time_for_cpu = pctIdle AS PercentIdleTime
FIELDALIAS-nice_time_for_cpu = pctNice AS PercentNiceTime
FIELDALIAS-cpu_load_percent_for_cpu = pctSystem AS PercentSystemTime,pctSystem as cpu_load_percent
FIELDALIAS-cpu_user_percent_for_cpu = pctUser AS PercentUserTime,pctUser as cpu_user_percent
FIELDALIAS-wait_time_for_cpu = pctIowait AS PercentWaitTime

I've tried both with and without CHECK_FOR_HEADER = true , and also I tried putting the props.conf on the heavy forwarder (didn't work) and then on the indexer itself and made sure deployment server restarted the HF/indexer. Nothing has worked so far. Does anyone have any other ideas?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

jamesvz84
Communicator
‎07-15-2014 01:51 PM

I resolved this by splitting up the config. Half was put on Heavy Forwarder, half was put on Search Head. Then restarted both. Not sure why I had to do this, but it works:

On Heavy Forwarder

[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
CHECK_FOR_HEADER = true

On Search Head:

   [cpu]
    FIELDALIAS-dest_for_cpu = host as dest
    FIELDALIAS-src_for_cpu = host as src
    FIELDALIAS-cpu_for_cpu = CPU as cpu
    FIELDALIAS-idle_time_for_cpu = pctIdle AS PercentIdleTime
    FIELDALIAS-nice_time_for_cpu = pctNice AS PercentNiceTime
    FIELDALIAS-cpu_load_percent_for_cpu = pctSystem AS PercentSystemTime,pctSystem as cpu_load_percent
    FIELDALIAS-cpu_user_percent_for_cpu = pctUser AS PercentUserTime,pctUser as cpu_user_percent
    FIELDALIAS-wait_time_for_cpu = pctIowait AS PercentWaitTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎01-12-2020 09:59 PM

In my case, the header line was having 'tab' character. After replacing the 'tab' characters with 'space' characters, the field extraction worked.

0 Karma
Reply
Solved! Jump to solution
Solution

jamesvz84
Communicator
‎07-15-2014 01:51 PM

I resolved this by splitting up the config. Half was put on Heavy Forwarder, half was put on Search Head. Then restarted both. Not sure why I had to do this, but it works:

On Heavy Forwarder

[cpu]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE = multi
CHECK_FOR_HEADER = true

On Search Head:

   [cpu]
    FIELDALIAS-dest_for_cpu = host as dest
    FIELDALIAS-src_for_cpu = host as src
    FIELDALIAS-cpu_for_cpu = CPU as cpu
    FIELDALIAS-idle_time_for_cpu = pctIdle AS PercentIdleTime
    FIELDALIAS-nice_time_for_cpu = pctNice AS PercentNiceTime
    FIELDALIAS-cpu_load_percent_for_cpu = pctSystem AS PercentSystemTime,pctSystem as cpu_load_percent
    FIELDALIAS-cpu_user_percent_for_cpu = pctUser AS PercentUserTime,pctUser as cpu_user_percent
    FIELDALIAS-wait_time_for_cpu = pctIowait AS PercentWaitTime
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...