Extract fields with multiple values in raw data

theouhuios · ‎12-12-2012

Hello

I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?

          total       used       free     shared    buffers     cached

Mem: 3820 3685 134 0 663 2115

buffers/cache: 907 2913

I did try using multikv

multikv fields total free filter Mem buffers/cache

But it doesn't give the data as expected.

Data before the perl script was used to strip off few fields

             total       used       free     shared    buffers     cached

Mem: 3820 3666 154 0 658 1980

-/+ buffers/cache: 1027 2793

Swap: 2047 0 2047

Total: 5868 3666 2202

When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.

lguinn2 · ‎12-12-2012

This should work, whether or not you use the Perl script. It will give you two field: mem_total and cache_free

yoursearchhere
| rex "(?m)Mem:\s*(?<mem_total>\d+)\s*cache:\s*\d+\s+(?<cache_free>\d+)"

theouhuios · ‎12-13-2012

Nope. Even this isn't working. Should I just input the raw data instead of using a script to modify the data and format? Probably that's messing it up

theouhuios · ‎12-12-2012

Edited my first post with more info.

theouhuios · ‎12-12-2012

I actually wrote a perl script to remove few things which weren't needed like -/+ in the output of free -tm command. I did that because of the issues in the multikv. It was considering -/+ buffers/cache as a value to total and this wasn't letting use any calculations.

sdaniels · ‎12-12-2012

multikv is typically what would work. What results are you getting from using multikv?

Extract fields with multiple values in raw data

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)