Splunk Enterprise

Extract fields with multiple values in raw data

theouhuios
Motivator

Hello

I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?

          total       used       free     shared    buffers     cached

Mem: 3820 3685 134 0 663 2115

buffers/cache: 907 2913

I did try using multikv

multikv fields total free filter Mem buffers/cache

But it doesn't give the data as expected.

Data before the perl script was used to strip off few fields

             total       used       free     shared    buffers     cached

Mem: 3820 3666 154 0 658 1980

-/+ buffers/cache: 1027 2793

Swap: 2047 0 2047

Total: 5868 3666 2202

When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.

Tags (1)
0 Karma

lguinn2
Legend

This should work, whether or not you use the Perl script. It will give you two field: mem_total and cache_free

yoursearchhere
| rex "(?m)Mem:\s*(?<mem_total>\d+)\s*cache:\s*\d+\s+(?<cache_free>\d+)"
0 Karma

theouhuios
Motivator

Nope. Even this isn't working. Should I just input the raw data instead of using a script to modify the data and format? Probably that's messing it up

0 Karma

theouhuios
Motivator

Edited my first post with more info.

0 Karma

theouhuios
Motivator

I actually wrote a perl script to remove few things which weren't needed like -/+ in the output of free -tm command. I did that because of the issues in the multikv. It was considering -/+ buffers/cache as a value to total and this wasn't letting use any calculations.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

multikv is typically what would work. What results are you getting from using multikv?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...