Solved: Multikvs on Multiple Lines

silvermail · ‎01-05-2011

Hi everybody,

I have a piece of log that goes like the below as a single event.

Basically these are the statistics for 3 of the virtual servers, namely RealServer1, RealServer2 and RealServer3.

Question - I want to have a query that allows me to print on information such as the TotConn, Rx-pkts, Tx-pkts etc. for RealServer3

In this case, how can I refine my search such that when I apply multikv on the results, I am only applying it to RealServer3, and not to the rest of the virtual servers.

I tried to do a search e.g.

sourcetype=virtuallogs "Name: RealServer3" | multikv

But multikv in this case will also give me the results from RealServer1 and RealServer2 which is not what I wanted.

Thanks for any inputs again.

Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
        GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
        AWU:await-unbind, AWD: await-shutdown
Name: RealServer1            State: Enabled             IP:192.168.1.100:   1
Mac: Unknown                 Weight: 1/1              MaxConn: 2000000
SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
----    --  -- ------- -------    -------   -------   --------   --------   ----
default UNB 0  0       0          0         0         0          0          0
514     ENB 0  0       0          0         0         0          0          0
Server  Total  0       0          0         0         0          0          0   
Name: RealServer2            State: Enabled             IP:192.168.1.101:   1
Mac: Unknown                 Weight: 1/1              MaxConn: 2000000
SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
----    --  -- ------- -------    -------   -------   --------   --------   ----
default UNB 0  0       0          0         0         0          0          0
514     ENB 0  0       0          0         0         0          0          0
Server  Total  0       0          0         0         0          0          0   
Name: RealServer3            State: Active              IP:192.168.88.211:   1
Mac: 000c.29b8.6170          Weight: 1/1              MaxConn: 2000000
SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
----    --  -- ------- -------    -------   -------   --------   --------   ----
default UNB 0  0       0          0         0         0          0          0
http    ACT 0  0       6          0         18        0          1164       0
Server  Total  0       6          0         18        0          1164       0

twkan · ‎01-07-2011

Okay, I have decided to break the events into several chunks.

First break would be the Real Servers Info component, and it goes something like this:

Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
        GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
        AWU:await-unbind, AWD: await-shutdown

Second break onwards will be denoted by the Name: Realserver1, Name: Realserver2 etc.

    Name: Realservr1                     State: Active              IP:192.168.88.215:   1
    Mac: 000c.2957.46a5          Weight: 1/1              MaxConn: 2000000
    SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
    Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
    ----    --  -- ------- -------    -------   -------   --------   --------   ----
    default UNB 0  0       0          0         0         0          0          0
    http    FAL 0  0       0          0         0         0          0          0
    Server  Total  0       0          0         0         0          0          0

My props looks something like:

BREAK_ONLY_BEFORE = Name:
MUST_BREAK_AFTER = telnet@ServerIronADX 1000#

I think this is working, and I am able to multikv and report correctly.

View solution in original post

twkan · ‎01-07-2011

Okay, I have decided to break the events into several chunks.

First break would be the Real Servers Info component, and it goes something like this:

Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
        GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
        AWU:await-unbind, AWD: await-shutdown

Second break onwards will be denoted by the Name: Realserver1, Name: Realserver2 etc.

    Name: Realservr1                     State: Active              IP:192.168.88.215:   1
    Mac: 000c.2957.46a5          Weight: 1/1              MaxConn: 2000000
    SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
    Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
    ----    --  -- ------- -------    -------   -------   --------   --------   ----
    default UNB 0  0       0          0         0         0          0          0
    http    FAL 0  0       0          0         0         0          0          0
    Server  Total  0       0          0         0         0          0          0

My props looks something like:

BREAK_ONLY_BEFORE = Name:
MUST_BREAK_AFTER = telnet@ServerIronADX 1000#

I think this is working, and I am able to multikv and report correctly.

Multikvs on Multiple Lines

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Multikvs on Multiple Lines

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console