Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

multikv not extracting fields

tzhmaba2
Path Finder
‎03-19-2012 08:33 AM

Hi,

I have created a scripted source which genereates the following output:

   idx_size_kB  idx
24  aaa
24  aaa_sum
2364    appserver
8260716 audit
4   authDb
24  blockSignature
4   bonnie
59894276    defaultdb
324 fishbucket
8   hashDb
356468  hdm
24  hdm_sum
24  historydb
177152  _internaldb

As you see it's a simple du -sk on the indexing DB directory of splunk. When I try to do a timechart over one of the values the multikv doesn't generate any field. Also playing with the field picker does not work. Any ideas how can I pick two fields here: "idx_size_kB" and "idx"??

index= source=du_idx | multikv - and there are no fields generated. Is it because the values are shifted in eac line??

Regards,
Bartosz

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tzhmaba2
Path Finder
‎03-20-2012 05:56 AM

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post

Reply
Solved! Jump to solution
Solution

tzhmaba2
Path Finder
‎03-20-2012 05:56 AM

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...