Splunk Enterprise

Extract fields with multiple values in raw data

theouhuios
Motivator

Hello

I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?

          total       used       free     shared    buffers     cached

Mem: 3820 3685 134 0 663 2115

buffers/cache: 907 2913

I did try using multikv

multikv fields total free filter Mem buffers/cache

But it doesn't give the data as expected.

Data before the perl script was used to strip off few fields

             total       used       free     shared    buffers     cached

Mem: 3820 3666 154 0 658 1980

-/+ buffers/cache: 1027 2793

Swap: 2047 0 2047

Total: 5868 3666 2202

When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.

Tags (1)
0 Karma

lguinn2
Legend

This should work, whether or not you use the Perl script. It will give you two field: mem_total and cache_free

yoursearchhere
| rex "(?m)Mem:\s*(?<mem_total>\d+)\s*cache:\s*\d+\s+(?<cache_free>\d+)"
0 Karma

theouhuios
Motivator

Nope. Even this isn't working. Should I just input the raw data instead of using a script to modify the data and format? Probably that's messing it up

0 Karma

theouhuios
Motivator

Edited my first post with more info.

0 Karma

theouhuios
Motivator

I actually wrote a perl script to remove few things which weren't needed like -/+ in the output of free -tm command. I did that because of the issues in the multikv. It was considering -/+ buffers/cache as a value to total and this wasn't letting use any calculations.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

multikv is typically what would work. What results are you getting from using multikv?

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...