Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- MVINDEX not working well with SPACE separated valu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MVINDEX not working well with SPACE separated values
mrigs
New Member
09-30-2017
04:41 PM
Hello All,
For an event like this -
CPU uPct nPct sPct wPct iPct
all 0.63 0.00 0.38 0.00 98.99
0 0.00 0.00 0.00 0.00 100.00
1 1.00 0.00 0.00 0.00 99.00
2 0.00 0.00 0.00 0.00 100.00
3 0.00 0.00 0.00 0.00 100.00
I want to extract the iPct value for the all row. For some reason my split and mvindex commands are not working properly. This is what I have tried -
*<base search>*
| rex field=_raw "all(?<cpuUsage>.*)\\n"
| eval cpuFields = split(cpuUsage, " ")
| eval cpuIdle = mvindex(cpuFields,4)
| table _time, cpuIdle
The separation works fine, but may be I am doing something wrong with the mvindex? Please advise!
Thank you
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
10-01-2017
09:14 AM
The problem might be that there are multiple spaces between the values.
Since you only want the last value on the line, this would be simpler.
*<base search>*
| rex field=_raw "all.*\s(?<cpuIdle>\S+)$"
...or if you wanted everything on the all line...
| rex "^(?<CPU>all)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
...or on all lines...
| rex "^(?<CPU>\S+)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mrigs
New Member
10-04-2017
07:26 PM
Thank you. A bit crude, but this worked for me -
| rex field=_raw "all(?:.*) (?<cpuIdle>([0-9]|\.)+)\\n"
It would still be interesting to find out why my SPLIT didn't work as expected!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
10-01-2017
06:12 AM
what does cpuidle return for you?
i think maybe, you need to use -
| eval cpuIdle = mvindex(cpuFields,5) to get ipct values?
Can you please post a screen shot of what your CURRENT query returns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mrigs
New Member
10-04-2017
07:23 PM
My cpuidle shows up blank.
_time cpuUsage cpuFields cpuIdle
2017-10-04 22:00:17 2.02 0.00 1.01 0.00 96.97 2.02
0.00
1.01
0.00
96.97
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
