Solved: Multikvs on Multiple Lines

silvermail · ‎01-05-2011

Hi everybody,

I have a piece of log that goes like the below as a single event.

Basically these are the statistics for 3 of the virtual servers, namely RealServer1, RealServer2 and RealServer3.

Question - I want to have a query that allows me to print on information such as the TotConn, Rx-pkts, Tx-pkts etc. for RealServer3

In this case, how can I refine my search such that when I apply multikv on the results, I am only applying it to RealServer3, and not to the rest of the virtual servers.

I tried to do a search e.g.

sourcetype=virtuallogs "Name: RealServer3" | multikv

But multikv in this case will also give me the results from RealServer1 and RealServer2 which is not what I wanted.

Thanks for any inputs again.

Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
        GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
        AWU:await-unbind, AWD: await-shutdown
Name: RealServer1            State: Enabled             IP:192.168.1.100:   1
Mac: Unknown                 Weight: 1/1              MaxConn: 2000000
SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
----    --  -- ------- -------    -------   -------   --------   --------   ----
default UNB 0  0       0          0         0         0          0          0
514     ENB 0  0       0          0         0         0          0          0
Server  Total  0       0          0         0         0          0          0   
Name: RealServer2            State: Enabled             IP:192.168.1.101:   1
Mac: Unknown                 Weight: 1/1              MaxConn: 2000000
SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
----    --  -- ------- -------    -------   -------   --------   --------   ----
default UNB 0  0       0          0         0         0          0          0
514     ENB 0  0       0          0         0         0          0          0
Server  Total  0       0          0         0         0          0          0   
Name: RealServer3            State: Active              IP:192.168.88.211:   1
Mac: 000c.29b8.6170          Weight: 1/1              MaxConn: 2000000
SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
----    --  -- ------- -------    -------   -------   --------   --------   ----
default UNB 0  0       0          0         0         0          0          0
http    ACT 0  0       6          0         18        0          1164       0
Server  Total  0       6          0         18        0          1164       0

twkan · ‎01-07-2011

Okay, I have decided to break the events into several chunks.

First break would be the Real Servers Info component, and it goes something like this:

Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
        GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
        AWU:await-unbind, AWD: await-shutdown

Second break onwards will be denoted by the Name: Realserver1, Name: Realserver2 etc.

    Name: Realservr1                     State: Active              IP:192.168.88.215:   1
    Mac: 000c.2957.46a5          Weight: 1/1              MaxConn: 2000000
    SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
    Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
    ----    --  -- ------- -------    -------   -------   --------   --------   ----
    default UNB 0  0       0          0         0         0          0          0
    http    FAL 0  0       0          0         0         0          0          0
    Server  Total  0       0          0         0         0          0          0

My props looks something like:

BREAK_ONLY_BEFORE = Name:
MUST_BREAK_AFTER = telnet@ServerIronADX 1000#

I think this is working, and I am able to multikv and report correctly.

View solution in original post

twkan · ‎01-07-2011

Okay, I have decided to break the events into several chunks.

First break would be the Real Servers Info component, and it goes something like this:

Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
        GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
        AWU:await-unbind, AWD: await-shutdown

Second break onwards will be denoted by the Name: Realserver1, Name: Realserver2 etc.

    Name: Realservr1                     State: Active              IP:192.168.88.215:   1
    Mac: 000c.2957.46a5          Weight: 1/1              MaxConn: 2000000
    SrcNAT: not-cfg, not-op      DstNAT: not-cfg, not-op    Serv-Rsts: 0
    Port    St  Ms CurConn TotConn    Rx-pkts   Tx-pkts   Rx-octet   Tx-octet   Reas
    ----    --  -- ------- -------    -------   -------   --------   --------   ----
    default UNB 0  0       0          0         0         0          0          0
    http    FAL 0  0       0          0         0         0          0          0
    Server  Total  0       0          0         0         0          0          0

My props looks something like:

BREAK_ONLY_BEFORE = Name:
MUST_BREAK_AFTER = telnet@ServerIronADX 1000#

I think this is working, and I am able to multikv and report correctly.

Multikvs on Multiple Lines

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation