Splunk Search

Multikv extraction - Tables within a table?

rturk
Builder

Hi Splunkers,

So I'm getting started with multikv extractions, and I've come across this issue. I'm attempting to generate a report (based on the output of Solarwinds) that will graph the average number of concurrent connections per virtual server on a specific physical ESX server. The log format is as follows:

Virtual Server Concurrent Connections    
LAST 3 MONTHS 
PSRV-0001    
DATE / TIME VS-0001 VS-0002     VS-0003     VS-0004 
29-Apr-11   0       0.142857143 0           0 
6-May-11    0       0.285714286 0           0 
13-May-11   0       0           0           0 
20-May-11   0       0           0           0 
27-May-11   0       0           0           0 
3-Jun-11    0       0           0           0 
10-Jun-11   0       0           0           0 
17-Jun-11   0       0           0.018867925 0.018867925 
24-Jun-11   0       0.005952381 0           0.005952381 
1-Jul-11    0       0.011904762 0           0.005952381 
8-Jul-11    0       0           0           0.011904762 
15-Jul-11   0       0.017       0.006       0.007 

Now I've worked through the examples in the documentation, but I can't seem to find a way to make this work the way I want it to, specifically around field extractions (I'm fine with the reporting side of things). To better illustrate the values I'm attempting to extract and report on, I've put together this little HTML table.

Virtual Server Concurrent Connections
LAST THREE MONTHS
[host]PSRV-0001
DATE / TIMEVS-0001VS-0002VS-0003VS-0004[virtual_host]
29-Apr-1100.14285714300
6-May-1100.28571428600
13-May-110000
20-May-110000
27-May-110000
3-Jun-110000
10-Jun-110000
17-Jun-11000.0188679250.018867925
24-Jun-1100.00595238100.005952381
1-Jul-1100.01190476200.005952381
8-Jul-110000.011904762
15-Jul-1100.0170.0060.007
[timestamp][concurrent-connections]

In essence, I'm trying to extract what would be the logged equivalent of the following (which would be easy to report on):

# timestamp, virtual_server, concurrent_connections 
29-Apr-11, VS-0001, 0 
29-Apr-11, VS-0002, 0.142857143 
29-Apr-11, VS-0003, 0 
29-Apr-11, VS-0004, 0 
6-May-11, VS-0001, 0 
6-May-11, VS-0002, 0.285714286 
6-May-11, VS-0003, 0 
6-May-11, VS-0004, 0 
... 

The following caveats are in play:

  • The host value is variable (ie. changes naming conventions depending on the origin of data)
  • The virtual_host values are also variable
  • The number of virtual_hosts on a given host are variable

Can someone please point me in the right direction here, or tell me if this is even possible? There will be much kudos & upvoting for whoever helps!

0 Karma
1 Solution

MarioM
Motivator

Have you tried to use your multikv settings by creating a multikv.conf ?

There is examples at the bottom of the page link.

View solution in original post

MarioM
Motivator

Have you tried to use your multikv settings by creating a multikv.conf ?

There is examples at the bottom of the page link.

rturk
Builder

I've tried (and am continuing to try) with the examples that have been provided, however I'm not looking to make fields named "VS-0001", "VS-0002" etc... These values need to be extracted to a "virtual_host" field.

My HTML table did have colours to indicate what I'm trying to do, however they get lost once I submitted the question

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...