Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- MVINDEX not working well with SPACE separated valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MVINDEX not working well with SPACE separated values
Hello All,
For an event like this -
CPU uPct nPct sPct wPct iPct
all 0.63 0.00 0.38 0.00 98.99
0 0.00 0.00 0.00 0.00 100.00
1 1.00 0.00 0.00 0.00 99.00
2 0.00 0.00 0.00 0.00 100.00
3 0.00 0.00 0.00 0.00 100.00
I want to extract the iPct value for the all row. For some reason my split and mvindex commands are not working properly. This is what I have tried -
*<base search>*
| rex field=_raw "all(?<cpuUsage>.*)\\n"
| eval cpuFields = split(cpuUsage, " ")
| eval cpuIdle = mvindex(cpuFields,4)
| table _time, cpuIdle
The separation works fine, but may be I am doing something wrong with the mvindex? Please advise!
Thank you
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem might be that there are multiple spaces between the values.
Since you only want the last value on the line, this would be simpler.
*<base search>*
| rex field=_raw "all.*\s(?<cpuIdle>\S+)$"
...or if you wanted everything on the all line...
| rex "^(?<CPU>all)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
...or on all lines...
| rex "^(?<CPU>\S+)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. A bit crude, but this worked for me -
| rex field=_raw "all(?:.*) (?<cpuIdle>([0-9]|\.)+)\\n"
It would still be interesting to find out why my SPLIT didn't work as expected!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what does cpuidle return for you?
i think maybe, you need to use -
| eval cpuIdle = mvindex(cpuFields,5) to get ipct values?
Can you please post a screen shot of what your CURRENT query returns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My cpuidle shows up blank.
_time cpuUsage cpuFields cpuIdle
2017-10-04 22:00:17 2.02 0.00 1.01 0.00 96.97 2.02
0.00
1.01
0.00
96.97
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
