Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract fields with multiple values in raw data

theouhuios
Motivator
‎12-12-2012 10:20 AM

Hello

I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?

          total       used       free     shared    buffers     cached

Mem: 3820 3685 134 0 663 2115

buffers/cache: 907 2913

I did try using multikv

multikv fields total free filter Mem buffers/cache

But it doesn't give the data as expected.

Data before the perl script was used to strip off few fields

             total       used       free     shared    buffers     cached

Mem: 3820 3666 154 0 658 1980

-/+ buffers/cache: 1027 2793

Swap: 2047 0 2047

Total: 5868 3666 2202

When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎12-12-2012 07:15 PM

This should work, whether or not you use the Perl script. It will give you two field: mem_total and cache_free

yoursearchhere
| rex "(?m)Mem:\s*(?<mem_total>\d+)\s*cache:\s*\d+\s+(?<cache_free>\d+)"
0 Karma
Reply

theouhuios
Motivator
‎12-13-2012 07:05 AM

Nope. Even this isn't working. Should I just input the raw data instead of using a script to modify the data and format? Probably that's messing it up

0 Karma
Reply

theouhuios
Motivator
‎12-12-2012 10:40 AM

Edited my first post with more info.

0 Karma
Reply

theouhuios
Motivator
‎12-12-2012 10:37 AM

I actually wrote a perl script to remove few things which weren't needed like -/+ in the output of free -tm command. I did that because of the issues in the multikv. It was considering -/+ buffers/cache as a value to total and this wasn't letting use any calculations.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:29 AM

multikv is typically what would work. What results are you getting from using multikv?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...