Splunk Search

Multikv extraction - Tables within a table?

rturk
Builder

Hi Splunkers,

So I'm getting started with multikv extractions, and I've come across this issue. I'm attempting to generate a report (based on the output of Solarwinds) that will graph the average number of concurrent connections per virtual server on a specific physical ESX server. The log format is as follows:

Virtual Server Concurrent Connections    
LAST 3 MONTHS 
PSRV-0001    
DATE / TIME VS-0001 VS-0002     VS-0003     VS-0004 
29-Apr-11   0       0.142857143 0           0 
6-May-11    0       0.285714286 0           0 
13-May-11   0       0           0           0 
20-May-11   0       0           0           0 
27-May-11   0       0           0           0 
3-Jun-11    0       0           0           0 
10-Jun-11   0       0           0           0 
17-Jun-11   0       0           0.018867925 0.018867925 
24-Jun-11   0       0.005952381 0           0.005952381 
1-Jul-11    0       0.011904762 0           0.005952381 
8-Jul-11    0       0           0           0.011904762 
15-Jul-11   0       0.017       0.006       0.007 

Now I've worked through the examples in the documentation, but I can't seem to find a way to make this work the way I want it to, specifically around field extractions (I'm fine with the reporting side of things). To better illustrate the values I'm attempting to extract and report on, I've put together this little HTML table.

Virtual Server Concurrent Connections
LAST THREE MONTHS
[host]PSRV-0001
DATE / TIMEVS-0001VS-0002VS-0003VS-0004[virtual_host]
29-Apr-1100.14285714300
6-May-1100.28571428600
13-May-110000
20-May-110000
27-May-110000
3-Jun-110000
10-Jun-110000
17-Jun-11000.0188679250.018867925
24-Jun-1100.00595238100.005952381
1-Jul-1100.01190476200.005952381
8-Jul-110000.011904762
15-Jul-1100.0170.0060.007
[timestamp][concurrent-connections]

In essence, I'm trying to extract what would be the logged equivalent of the following (which would be easy to report on):

# timestamp, virtual_server, concurrent_connections 
29-Apr-11, VS-0001, 0 
29-Apr-11, VS-0002, 0.142857143 
29-Apr-11, VS-0003, 0 
29-Apr-11, VS-0004, 0 
6-May-11, VS-0001, 0 
6-May-11, VS-0002, 0.285714286 
6-May-11, VS-0003, 0 
6-May-11, VS-0004, 0 
... 

The following caveats are in play:

  • The host value is variable (ie. changes naming conventions depending on the origin of data)
  • The virtual_host values are also variable
  • The number of virtual_hosts on a given host are variable

Can someone please point me in the right direction here, or tell me if this is even possible? There will be much kudos & upvoting for whoever helps!

0 Karma
1 Solution

MarioM
Motivator

Have you tried to use your multikv settings by creating a multikv.conf ?

There is examples at the bottom of the page link.

View solution in original post

MarioM
Motivator

Have you tried to use your multikv settings by creating a multikv.conf ?

There is examples at the bottom of the page link.

rturk
Builder

I've tried (and am continuing to try) with the examples that have been provided, however I'm not looking to make fields named "VS-0001", "VS-0002" etc... These values need to be extracted to a "virtual_host" field.

My HTML table did have colours to indicate what I'm trying to do, however they get lost once I submitted the question

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...