Solved: multikv not extracting fields

tzhmaba2 · ‎03-19-2012

Hi,

I have created a scripted source which genereates the following output:

   idx_size_kB  idx
24  aaa
24  aaa_sum
2364    appserver
8260716 audit
4   authDb
24  blockSignature
4   bonnie
59894276    defaultdb
324 fishbucket
8   hashDb
356468  hdm
24  hdm_sum
24  historydb
177152  _internaldb

As you see it's a simple du -sk on the indexing DB directory of splunk. When I try to do a timechart over one of the values the multikv doesn't generate any field. Also playing with the field picker does not work. Any ideas how can I pick two fields here: "idx_size_kB" and "idx"??

index= source=du_idx | multikv - and there are no fields generated. Is it because the values are shifted in eac line??

Regards,
Bartosz

tzhmaba2 · ‎03-20-2012

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

View solution in original post

tzhmaba2 · ‎03-20-2012

It's always best to answer oneself...

The solution is to use the "forceheader=1" flag for multikv.

Regards,
Bartosz

multikv not extracting fields

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

multikv not extracting fields

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine