Splunk Search

multikv parsing of a table not picking all the values

New Member

I have a table like below:

     CPU0       CPU1       CPU2       CPU3       

0: 1826872 0 0 0 IO-APIC-edge timer
1: 9 0 0 0 IO-APIC-edge i8042
4: 390 0 0 0 IO-APIC-edge

6: 2 0 0 0 IO-APIC-edge floppy
7: 179942 1727883 42238 36 IO-APIC hyperv
8: 0 0 0 0 IO-APIC-edge rtc0

when i apply multikv on these kind of events to get all the cpu0,1,2,3 values i just get few of them.

For example CPU0 values of 1826872 is skipped and only 390 is picked up. Same is the case for all the other fields i want extracted.
Instead of picking up all the values from the rows it is just picking up 1 value every few rows for the field.

Please help.

Thanks

0 Karma

SplunkTrust
SplunkTrust

Since your regex command is probably filtering out any header row, try this search.

... | regex _raw = "\w+:\s+\d+\s+\d+\s+\d+\s+\d+\s+" | multikv noheader=true fields rowNum CPU0 CPU1 CPU2 CPU3 field6 field7 | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Tried that, but it doesn't extract the CPU0,1,2,3 fields. Just gives me events like below:

Oct 15 2015 00:46:41 UTC -------workernode2------------------------
CPU0 CPU1 CPU2 CPU3

0: 1826872 0 0 0 IO-APIC-edge timer
1: 9 0 0 0 IO-APIC-edge i8042
4: 390 0 0 0 IO-APIC-edge

6: 2 0 0 0 IO-APIC-edge floppy
7: 179942 1727883 42238 36 IO-APIC hyperv
8: 0 0 0 0 IO-APIC-edge rtc0
9: 0 0 0 0 IO-APIC-fasteoi acpi
12: 167 0 0 0 IO-APIC-edge i8042
14: 0 0 0 0 IO-APIC-edge atapiix
15: 98321 0 0 0 IO-APIC-edge ata
piix
NMI: 0 0 0 0 Non-maskable interrupts
LOC: 52647670 46809031 45927541 43500910 Local timer interrupts
SPU: 0 0 0 0 Spurious interrupts

0 Karma

SplunkTrust
SplunkTrust

Can you show us your search?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member
host="MacBook-Air.local" | regex _raw = "\w+:\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+(?\d+)\s+" | multikv
0 Karma

SplunkTrust
SplunkTrust

What does your search look like?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Just with | multikv I see the fields CPU0,1,2,3 being extracted but with the above mentioned issue.

0 Karma