Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what will it take for MULTIKV to format a table (1 header row, 1+ data rows) properly?

V_at_Splunk
Splunk Employee
Splunk Employee
‎01-17-2010 06:36 PM

Such a helpful command, and yet doesn't work for me...

Reply
1 Solution
Solved! Jump to solution
Solution

V_at_Splunk
Splunk Employee
Splunk Employee
‎01-17-2010 06:44 PM
  • 1 header row
  • numeric data must be be right-justified (under header)
  • non-numeric data must be be either left-justified or right-justified (under header)
  • all rows (header & data) must have same # of columns -- MULTIKV abhors a sparse matrix.
    • If you don't have enough data values in a row, create dummy values like ? or n/a
    • If you have blanks inside a value, fill them in with _ (or some such); or put quotes around the value.

Let's say you have this input from PostgresQL:

 procpid |  usename   |         current_query          | waiting |          xact_start           |   client_addr   | client_port 
---------+------------+--------------------------------+---------+-------------------------------+-----------------+-------------
   19578 | areiser    | <IDLE>                         | f       |                               | 192.168.1.105   |       47736
     690 | txreadonly | <insufficient privilege>       |         |                               |                 |            
   27986 | forums     | <insufficient privilege>       |         |                               |                 |            
   19588 | areiser    | <IDLE>                         | f       |                               | 192.168.104.234 |       47738
   19591 | areiser    | select * from pg_stat_activity | f       | 2010-01-07 13:15:05.002492-06 |                 |          -1
(5 rows)

We apply a bit of awk(1), as:

BEGIN {
    FS = "|";
    OFS = " ";
}

# Skip lines which are neither header nor data
NR == 2 {next}
(NF==1) && ($1 ~ /[0-9]+ row/) {next}

{
    for (i=1; i<=NF; ++i) {
        fieldWidth = length($i);

        if (gsub("[\012\015]", "", $i) && (NR>1))
            ++fieldWidth;
        sub(" +$", "", $i);
        sub("^ +", "", $i);

        # can't have blanks within values -- fill with _'s 
        gsub(" ", "_", $i);

        # can't have blank cells in table -- replace with "<n/a>"
        $i = length($i) ? $i : "<n/a>";

        # right-justify everything
        format = sprintf("%%%ds", fieldWidth);
        $i = sprintf(format, $i);
    }
    print
}

,and obtain

  procpid      usename                    current_query   waiting                      xact_start       client_addr    client_port
    19578      areiser                           <IDLE>         f                           <n/a>     192.168.1.105          47736
      690   txreadonly         <insufficient_privilege>     <n/a>                           <n/a>             <n/a>          <n/a>
    27986       forums         <insufficient_privilege>     <n/a>                           <n/a>             <n/a>          <n/a>
    19588      areiser                           <IDLE>         f                           <n/a>   192.168.104.234          47738
    19591      areiser   select_*_from_pg_stat_activity         f   2010-01-07_13:15:05.002492-06             <n/a>             -1

, which MULTIKV will accept. To easier craft this general solution above, we assumed that all data might be numeric, and hence right-justified all columns.

View solution in original post

Reply
Solved! Jump to solution
Solution

V_at_Splunk
Splunk Employee
Splunk Employee
‎01-17-2010 06:44 PM
  • 1 header row
  • numeric data must be be right-justified (under header)
  • non-numeric data must be be either left-justified or right-justified (under header)
  • all rows (header & data) must have same # of columns -- MULTIKV abhors a sparse matrix.
    • If you don't have enough data values in a row, create dummy values like ? or n/a
    • If you have blanks inside a value, fill them in with _ (or some such); or put quotes around the value.

Let's say you have this input from PostgresQL:

 procpid |  usename   |         current_query          | waiting |          xact_start           |   client_addr   | client_port 
---------+------------+--------------------------------+---------+-------------------------------+-----------------+-------------
   19578 | areiser    | <IDLE>                         | f       |                               | 192.168.1.105   |       47736
     690 | txreadonly | <insufficient privilege>       |         |                               |                 |            
   27986 | forums     | <insufficient privilege>       |         |                               |                 |            
   19588 | areiser    | <IDLE>                         | f       |                               | 192.168.104.234 |       47738
   19591 | areiser    | select * from pg_stat_activity | f       | 2010-01-07 13:15:05.002492-06 |                 |          -1
(5 rows)

We apply a bit of awk(1), as:

BEGIN {
    FS = "|";
    OFS = " ";
}

# Skip lines which are neither header nor data
NR == 2 {next}
(NF==1) && ($1 ~ /[0-9]+ row/) {next}

{
    for (i=1; i<=NF; ++i) {
        fieldWidth = length($i);

        if (gsub("[\012\015]", "", $i) && (NR>1))
            ++fieldWidth;
        sub(" +$", "", $i);
        sub("^ +", "", $i);

        # can't have blanks within values -- fill with _'s 
        gsub(" ", "_", $i);

        # can't have blank cells in table -- replace with "<n/a>"
        $i = length($i) ? $i : "<n/a>";

        # right-justify everything
        format = sprintf("%%%ds", fieldWidth);
        $i = sprintf(format, $i);
    }
    print
}

,and obtain

  procpid      usename                    current_query   waiting                      xact_start       client_addr    client_port
    19578      areiser                           <IDLE>         f                           <n/a>     192.168.1.105          47736
      690   txreadonly         <insufficient_privilege>     <n/a>                           <n/a>             <n/a>          <n/a>
    27986       forums         <insufficient_privilege>     <n/a>                           <n/a>             <n/a>          <n/a>
    19588      areiser                           <IDLE>         f                           <n/a>   192.168.104.234          47738
    19591      areiser   select_*_from_pg_stat_activity         f   2010-01-07_13:15:05.002492-06             <n/a>             -1

, which MULTIKV will accept. To easier craft this general solution above, we assumed that all data might be numeric, and hence right-justified all columns.

Reply
Solved! Jump to solution

V_at_Splunk
Splunk Employee
Splunk Employee
‎02-05-2010 09:03 PM

True. The pre-processing could be simplified if we [a] do some dirty work in SQL (ISNULL, string replacement, etc); [b] get Splunk to break on characters other than whitespace, | in this example; [c] have access to a top-notch SQL CLI (that would be, Oracle's SQL*Plus).

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎02-05-2010 07:54 AM

that's alotta pre-processing

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...