Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: MVINDEX not working well with SPACE separated ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MVINDEX not working well with SPACE separated values
mrigs
New Member
09-30-2017
04:41 PM
Hello All,
For an event like this -
CPU uPct nPct sPct wPct iPct
all 0.63 0.00 0.38 0.00 98.99
0 0.00 0.00 0.00 0.00 100.00
1 1.00 0.00 0.00 0.00 99.00
2 0.00 0.00 0.00 0.00 100.00
3 0.00 0.00 0.00 0.00 100.00
I want to extract the iPct value for the all row. For some reason my split and mvindex commands are not working properly. This is what I have tried -
*<base search>*
| rex field=_raw "all(?<cpuUsage>.*)\\n"
| eval cpuFields = split(cpuUsage, " ")
| eval cpuIdle = mvindex(cpuFields,4)
| table _time, cpuIdle
The separation works fine, but may be I am doing something wrong with the mvindex? Please advise!
Thank you
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
10-01-2017
09:14 AM
The problem might be that there are multiple spaces between the values.
Since you only want the last value on the line, this would be simpler.
*<base search>*
| rex field=_raw "all.*\s(?<cpuIdle>\S+)$"
...or if you wanted everything on the all line...
| rex "^(?<CPU>all)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
...or on all lines...
| rex "^(?<CPU>\S+)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mrigs
New Member
10-04-2017
07:26 PM
Thank you. A bit crude, but this worked for me -
| rex field=_raw "all(?:.*) (?<cpuIdle>([0-9]|\.)+)\\n"
It would still be interesting to find out why my SPLIT didn't work as expected!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
10-01-2017
06:12 AM
what does cpuidle return for you?
i think maybe, you need to use -
| eval cpuIdle = mvindex(cpuFields,5) to get ipct values?
Can you please post a screen shot of what your CURRENT query returns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mrigs
New Member
10-04-2017
07:23 PM
My cpuidle shows up blank.
_time cpuUsage cpuFields cpuIdle
2017-10-04 22:00:17 2.02 0.00 1.01 0.00 96.97 2.02
0.00
1.01
0.00
96.97
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
