Solved: multikv not extracting fields

tzhmaba2 · ‎03-19-2012

Hi,

I have created a scripted source which genereates the following output:

   idx_size_kB  idx
24  aaa
24  aaa_sum
2364    appserver
8260716 audit
4   authDb
24  blockSignature
4   bonnie
59894276    defaultdb
324 fishbucket
8   hashDb
356468  hdm
24  hdm_sum
24  historydb
177152  _internaldb

As you see it's a simple du -sk on the indexing DB directory of splunk. When I try to do a timechart over one of the values the multikv doesn't generate any field. Also playing with the field picker does not work. Any ideas how can I pick two fields here: "idx_size_kB" and "idx"??

index= source=du_idx | multikv - and there are no fields generated. Is it because the values are shifted in eac line??

Regards,
Bartosz

tzhmaba2 · ‎03-20-2012

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post

tzhmaba2 · ‎03-20-2012

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

multikv not extracting fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

multikv not extracting fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions