Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiline table processing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiline table processing
How can I process tables like below where Data is spread across multiple lines. and Top start set defines Field name and a data set starts with "0 CP1_LS" and the next set beibg "1 CP1_LS" and so on. This by the way is a data-set that gets produced every 30 min.
TABLE LABEL :
KEY (C7_LINKSET_NUMBER)
INFO (C7LINK_OMINFO)
C7MSUTX C7MSUTX2 C7MSURX C7MSURX2 C7BYTTX C7BYTTX2
C7BYTRX C7BYTRX2 C7BYTRT C7BYTRT2 C7MSUDSC C7ONSET1
C7ONSET2 C7ONSET3 C7ONSETV C7ABATE1 C7ABATE2 C7ABATE3
C7ABATEV C7MSUDC1 C7MSUDC2 C7MSUDC3 C7STRET C7MSBRET
C7MSGLOS C7MSGMSQ C7MSUOR C7MSUOR2 C7MSUTE C7MSUTE2
C7MSUTS C7MSUTS2
0 CP1_LS
0
4582 0 3493 0 1783 1
16130 1 0 0 0 0
0 0 0 0 0 0
0 0 0 0 2 2
0 0 4583 0 3492 0
0 0
1 CP1_LS
1
4800 0 3525 0 7121 1
17754 1 0 0 0 0
0 0 0 0 0 0
0 0 0 0 2 2
0 0 4800 0 3524 0
0 0
2 CP6_LS
0
5760 0 4890 0 1088 2
15420 1 0 0 0 0
0 0 0 0 0 0
0 0 0 0 2 2
0 0 5762 0 4889 0
0 0
3 CP2_LS
0
7367 0 5320 0 31485 2
58433 1 0 0 0 0
0 0 0 0 0 0
0 0 0 0 2 2
0 0 7366 0 5324 0
0 0
So from the above data set, I want to be able to timechart "C7BYTTX" by "CP6_LS" element.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lowell,
Thanks, your are right multikv may be the place to start, wihch give me an idea to make it work for multikv. Reformating it, so it's multikv friendly
KEY(C7_LINKSET_NUMBER) INFO(C7LINK_OMINFO) C7MSUTX C7MSUTX2 C7MSURX C7MSURX2 C7BYTTX C7BYTTX2 C7BYTRX C7BYTRX2 C7BYTRT C7BYTRT2 C7MSUDSC C7ONSET1 C7ONSET2 C7ONSET3 C7ONSETV C7ABATE1 C7ABATE2 C7ABATE3 C7ABATEV C7MSUDC1 C7MSUDC2 C7MSUDC3 C7STRET C7MSBRET C7MSGLOS C7MSGMSQ C7MSUOR C7MSUOR2 C7MSUTE C7MSUTE2 C7MSUTS C7MSUTS2 0
CP1_LS 0 4582 0 3493 0 1783 1 16130 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 4583 0 3492 0 0 0 1
CP1_LS 1 4800 0 3525 0 7121 1 17754 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 4800 0 3524 0 0 0
Like that and do multikv.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any luck with mulitkv? I think this seems to complicated, but that's probably the best place to start.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
