Solved: Multikv not extracting data

theouhuios · ‎12-14-2012

Hello

I am trying to input data of free -tm in splunk. The raw data would look like

              total       used       free     shared    buffers     cached
Mem:          3820       3570        250          0        649       1695

-/+ buffers/cache:       1226       2594

Swap:         2047          0       2047

Total:        5868       3570       2297

And the data is being transformed into (its not properly aligned here, but it splunk it's in perfect alignment)

Memtype     total       used       free     shared    buffers     cached
Mem          3820       3615        205          0        629       2083
bufferscache    0   901       2919

But its not extracting the data properly. Didn't work even with forceheader=1.

I don't know if this makes any difference or not, but here is the code

#! usr/bin/perl
use warnings;
use strict;

my (@version,$version,@file,$file);
$version = `uname -a`;
@version=split(' ',$version);
unless ($version[0] eq "Linux")
{
#print "Version Not Linux\n";
exit;
}
@file = `free -tm`;
$file[0]=~ s/\s+/Memtype\t    /;
$file[1]=~ s/://;
$file[2] =~ s/-\/\+\s+//;
$file[2] =~ s/\///;
$file[2] =~ s/:\s+/\t0\t/;
print $file[0];
print $file[1];
print $file[2];

Any help or suggestions??

lpolo · ‎12-14-2012

I would transform your script to create key=value pairs results as follow:

Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083

I would include a time stamp:

12/14/2012 00:00:00 +0000 Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083

Then, Splunk will automatically extract each field.

Lp

View solution in original post

lpolo · ‎12-14-2012

I would transform your script to create key=value pairs results as follow:

Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083

I would include a time stamp:

12/14/2012 00:00:00 +0000 Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083

Then, Splunk will automatically extract each field.

Lp

lpolo · ‎12-17-2012

It will be a good practice to include the time stamp in your script. In this way, you will have the time when the event was created.

theouhuios · ‎12-17-2012

Splunk was able to extract it even without the timestamp. Thanks for help. 🙂

theouhuios · ‎12-17-2012

How to I place the timestamp in it? Should this be done in the script itself? As of now the props.conf Date_config has been set to current. Would that be fine?

Multikv not extracting data

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application