Re: multikv field extraction

pmr · ‎09-29-2010

Hello, How do i use multikv to extract fields that have % or / in them ? I'm unable to extract if it has those characters (% or /) in them.

For example : in below

                 extended device statistics              
r/s    w/s   kr/s   kw/s wait actv wsvc_t asvc_t  %w  %b device
2.5    2.1   33.3    6.6  0.0  0.1    0.0   25.7   0   4 c1t0d0
0.0    0.0    0.0    0.0  0.0  0.0    0.0    1.7   0   0 c0t0d0

host=solaris-rao Options| sourcetype=Solaris_iostat Options| source=script Options

I'm able to run sourcetype="Solaris_iostat" | multikv fields device asvc_t and get my fields extracted.

But if run same with : sourcetype="Solaris_iostat" | multikv fields device %b (or kw/s), fields are not getting extracted. Is there something i need to provide to extract those fields ?

thanks pmr

gkanapathy · ‎09-30-2010

multikv simply drops non-word characters from the beginning of field names, and replaces non-words characters in the middle and end of field names with underscores. You can just use b and kw_s. If you are unsure, you simply omit the fields argument to multikv, it will just extract what it can, and you can inspect the resulting field names.

pmr · ‎09-30-2010

ah..great. it works now, thanks much. - pmr

multikv field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation