Solved: multikv on raw data (row timestamp)

minkyuk · ‎07-08-2015

Hello-
I'll jump into the main part.

Here is a snippet:
Tue 2015 15:00:23
ZGD-OCU-QQQ
POS-BKD-AKD
COK-ZPP-AKF

DISK-------USAGE-------HOST

My multikv extraction thinks "ZGD-OCU-QQQ" is my "fields".
It definitely is correctly extracting the information, but I'm trying to find a way to skip 3 lines-rows- after the timestamp to extract correct fields.

I would appreciate any help..!
J

richgalloway · ‎07-08-2015

Try ... | multikv start_line=4 .... Adjust the start_line value as necessary.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-08-2015

Try ... | multikv start_line=4 .... Adjust the start_line value as necessary.

---
If this reply helps you, Karma would be appreciated.

minkyuk · ‎07-08-2015

I still need to read the first line to record the Timestamp, however.

Could I use any variation?

richgalloway · ‎07-08-2015

Use rex to extract the timestamp before using multikv on the rest.

---
If this reply helps you, Karma would be appreciated.

multikv on raw data (row timestamp)

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk