Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is a multikv field null, even if it is not emp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is a multikv field null, even if it is not empty?
FritzWittwer_ol
Contributor
06-24-2016
06:14 AM
I'm trying to extract data from events which contain a table:
RAW Data Table
# | INST_ID | STATISTIC | VALUE
1 | 1 | DDL Initiated | 3786
2 | 1 | DDL Initiated (IPQ) | 0
3 | 1 | DFO Trees | 24036
4 | 1 | DML Initiated | 0
5 | 1 | DML Initiated (IPQ) | 0
6 | 1 | Distr Msgs Recv'd | 0
multikv.conf
[ops_db_ora_mkv]
header.linecount = 1
header.start_offset = 1
header.tokens = _tokenize_, -1,"|"
body.start_offset=2
body.tokens = _tokenize_, 0,"|"
Search String
.... | multikv conf=ops_db_ora_mkv fields STATISTIC | eval s=if(isnull(STATISTIC),"isnull",STATISTIC)
Result
Field Value
VALUE 3786
INST_ID 1
# 1
STATISTIC DDL Initiated
linecount 1
s isnull
The field STATISTIC, like the other fields, contains a value, but if I use it somewhere it is NULL, do I need another syntax to access this fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-01-2016
07:34 AM
I cannot tell you exactly what is wrong but I do not think that you need to be using multikv.conf because you can tell splunk how to figure all that out by using the forceheader=1 directive. Try this run-anywhere example as a starting point and merge it with your actual events:
|noop|stats count AS _raw|eval _raw=" # | INST_ID | STATISTIC | VALUE
1 | 1 | DDL Initiated | 3786
2 | 1 | DDL Initiated (IPQ) | 0
3 | 1 | DFO Trees | 24036
4 | 1 | DML Initiated | 0
5 | 1 | DML Initiated (IPQ) | 0
6 | 1 | Distr Msgs Recv'd | 0"
| multikv forceheader=1
| fields STATISTIC | eval s=if(isnull(STATISTIC),"isnull",STATISTIC)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jplumsdaine22
Influencer
07-01-2016
03:20 AM
Can you show an example of the search that is giving you NULL values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FritzWittwer_ol
Contributor
07-03-2016
10:52 PM
Its Just a simple search to select from one index:
index=xx_indexname_xx source="xx_source_xx" host=xx_host_xx | multikv conf=ops_db_ora_mkv fields STATISTIC | eval s=if(isnull(STATISTIC),"isnull",STATISTIC) | eval s1=mvindex(STATISTIC,1)
Get Updates on the Splunk Community!
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights!
Duration: ...
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
