Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multikv not extracting data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I am trying to input data of free -tm in splunk. The raw data would look like
total used free shared buffers cached
Mem: 3820 3570 250 0 649 1695
-/+ buffers/cache: 1226 2594
Swap: 2047 0 2047
Total: 5868 3570 2297
And the data is being transformed into (its not properly aligned here, but it splunk it's in perfect alignment)
Memtype total used free shared buffers cached
Mem 3820 3615 205 0 629 2083
bufferscache 0 901 2919
But its not extracting the data properly. Didn't work even with forceheader=1.
I don't know if this makes any difference or not, but here is the code
#! usr/bin/perl
use warnings;
use strict;
my (@version,$version,@file,$file);
$version = `uname -a`;
@version=split(' ',$version);
unless ($version[0] eq "Linux")
{
#print "Version Not Linux\n";
exit;
}
@file = `free -tm`;
$file[0]=~ s/\s+/Memtype\t /;
$file[1]=~ s/://;
$file[2] =~ s/-\/\+\s+//;
$file[2] =~ s/\///;
$file[2] =~ s/:\s+/\t0\t/;
print $file[0];
print $file[1];
print $file[2];
Any help or suggestions??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would transform your script to create key=value pairs results as follow:
Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083
I would include a time stamp:
12/14/2012 00:00:00 +0000 Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083
Then, Splunk will automatically extract each field.
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would transform your script to create key=value pairs results as follow:
Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083
I would include a time stamp:
12/14/2012 00:00:00 +0000 Memtype=Mem total=3820 used=3615 free=205 shared=0 buffers=629 cached=2083
Then, Splunk will automatically extract each field.
Lp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will be a good practice to include the time stamp in your script. In this way, you will have the time when the event was created.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk was able to extract it even without the timestamp. Thanks for help. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to I place the timestamp in it? Should this be done in the script itself? As of now the props.conf Date_config has been set to current. Would that be fine?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
