Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- MVINDEX not working well with SPACE separated valu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MVINDEX not working well with SPACE separated values
mrigs
New Member
09-30-2017
04:41 PM
Hello All,
For an event like this -
CPU uPct nPct sPct wPct iPct
all 0.63 0.00 0.38 0.00 98.99
0 0.00 0.00 0.00 0.00 100.00
1 1.00 0.00 0.00 0.00 99.00
2 0.00 0.00 0.00 0.00 100.00
3 0.00 0.00 0.00 0.00 100.00
I want to extract the iPct value for the all row. For some reason my split and mvindex commands are not working properly. This is what I have tried -
*<base search>*
| rex field=_raw "all(?<cpuUsage>.*)\\n"
| eval cpuFields = split(cpuUsage, " ")
| eval cpuIdle = mvindex(cpuFields,4)
| table _time, cpuIdle
The separation works fine, but may be I am doing something wrong with the mvindex? Please advise!
Thank you
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
10-01-2017
09:14 AM
The problem might be that there are multiple spaces between the values.
Since you only want the last value on the line, this would be simpler.
*<base search>*
| rex field=_raw "all.*\s(?<cpuIdle>\S+)$"
...or if you wanted everything on the all line...
| rex "^(?<CPU>all)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
...or on all lines...
| rex "^(?<CPU>\S+)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mrigs
New Member
10-04-2017
07:26 PM
Thank you. A bit crude, but this worked for me -
| rex field=_raw "all(?:.*) (?<cpuIdle>([0-9]|\.)+)\\n"
It would still be interesting to find out why my SPLIT didn't work as expected!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
10-01-2017
06:12 AM
what does cpuidle return for you?
i think maybe, you need to use -
| eval cpuIdle = mvindex(cpuFields,5) to get ipct values?
Can you please post a screen shot of what your CURRENT query returns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mrigs
New Member
10-04-2017
07:23 PM
My cpuidle shows up blank.
_time cpuUsage cpuFields cpuIdle
2017-10-04 22:00:17 2.02 0.00 1.01 0.00 96.97 2.02
0.00
1.01
0.00
96.97
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
