Monitoring Splunk

Problem using multikv to parse tabular data



I'm trying to create a custom multikv.conf stanza for the first time, and am having trouble getting it working. Here is an example of the events I'm working with:

Object ID Volume                    Aggregate     Storage Server          Daily Growth Rate   Days To Full Daily Growth Rate (%)
--------- ------------------------- ------------- ----------------------  ------------------- ------------ ---------------------
36906     volume_1                  aggr1_vmw_sas           1074009984            1                  10.0
25031     volume_2                  aggr2_vmw_sas             29670000           75                   0.6
25033     volume_3                  aggr2_vmw_sas             23464000          146                   0.4
5430      volume_4                  aggr1_vmw_sas             22181400          273                   0.3
Totals                                                                             1249102095
The multikv.conf stanza I created is as follows:

#ignore the first two lines, as getting proper tokens with the spaces and % will be problematic
pre.start = "Object"
pre.linecount = 2
pre.ignore = _all_

#Manually define the header tokens
header.tokens = _token_list_, ObjectId, Volume, Aggregate, StorageServer, DailyGrowthRate, DaysToFull, DailyGrowthRatePct

#tokenize with space separators
body.end = "Totals"
body.tokens = _tokenize_, 0, " "

#ignore the 'Totals' line, as it doesn't really contain useful data.
post.start = "Totals"
post.linecount = 1
post.ignore = _all_

When I try to use this in search, nothing happens. Trying both:

... | multikv


... | multkv conf=volume_growth_rates

Any ideas on what I'm missing here?


Tags (2)


Maybe it is issue with identifying the header?

How does SPLUNk know when to ignore the header here?

example with the manual approach of assigning headers, we specify start of header & linecount:

# specify table header location and processing 
header.start = "Object ID" 
header.linecount = 1 
header.tokens = _tokenize_, -1," "
0 Karma

Splunk Employee
Splunk Employee

Tested in v6.0.

multkv.conf is annoying.
It is acting funny. We cannot trust the spec file.... sad. Examples do not work....

Solution 1. Forget about multikv.conf and use general Field Extraction

  • props.conf

    REPORT-multikv = test_multikv_table_1 test_multikv_table_2

  • transforms.conf

    REGEX = ^((\d+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+))
    FORMAT = Row::$1 objectID::$2 volume::$3 aggregate::$4 storageServer::$5 dailyGrowthRate::$6 daysToFull::$7 growthRate::$8
    MV_ADD = true

    REGEX = ^Totals\s+(\S+)
    FORMAT = Totals::$1

Solution 2. Stick with buggy multikv.conf

# Put multikv.conf in all of Splunk instance (Search Head and Peers)
- props.conf
LINE_BREAKER = ([\n\r]+)Object ID
KV_MODE = multi_volumeGrowthRates
  • multikv.conf

    Bug: must be located in Search Peer's local directory, instead of bundle from SH


    Not sure if "pre" is working

    pre.start = "Object"
    pre.end = "----.*"

    pre.linecount = 2

    pre.ignore = all

    header setting

    header.tokens = token_list,"ObjectId","Volume","Aggregate","StorageServer","DailyGrowthRate","DaysToFull","DailyGrowthRatePct"

    Body needs to set ignoring pre and post lines

    body.tokens = tokenize, 0, " "
    body.ignore = regex "----|Totals"

    Post... ignore is not working???

    post.start = "Totals"
    post.linecount = 1
    post.ignore = all

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...