Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract fields with multiple values in raw data

theouhuios
Motivator
‎12-12-2012 10:20 AM

Hello

I need to extract total from Mem and free from buffers/cache. Any idea on how do I do that?

          total       used       free     shared    buffers     cached

Mem: 3820 3685 134 0 663 2115

buffers/cache: 907 2913

I did try using multikv

multikv fields total free filter Mem buffers/cache

But it doesn't give the data as expected.

Data before the perl script was used to strip off few fields

             total       used       free     shared    buffers     cached

Mem: 3820 3666 154 0 658 1980

-/+ buffers/cache: 1027 2793

Swap: 2047 0 2047

Total: 5868 3666 2202

When I used multikv it was considering ttal as 3820 and -/+ buffers/cache. To avoid this I removed the -/+ , Swap and Total (not needed). Now its not even recognizing when I do multikv fields free filter buffers/cache.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎12-12-2012 07:15 PM

This should work, whether or not you use the Perl script. It will give you two field: mem_total and cache_free

yoursearchhere
| rex "(?m)Mem:\s*(?<mem_total>\d+)\s*cache:\s*\d+\s+(?<cache_free>\d+)"
0 Karma
Reply

theouhuios
Motivator
‎12-13-2012 07:05 AM

Nope. Even this isn't working. Should I just input the raw data instead of using a script to modify the data and format? Probably that's messing it up

0 Karma
Reply

theouhuios
Motivator
‎12-12-2012 10:40 AM

Edited my first post with more info.

0 Karma
Reply

theouhuios
Motivator
‎12-12-2012 10:37 AM

I actually wrote a perl script to remove few things which weren't needed like -/+ in the output of free -tm command. I did that because of the issues in the multikv. It was considering -/+ buffers/cache as a value to total and this wasn't letting use any calculations.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:29 AM

multikv is typically what would work. What results are you getting from using multikv?

0 Karma
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...