Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Multikvs on Multiple Lines
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everybody,
I have a piece of log that goes like the below as a single event.
Basically these are the statistics for 3 of the virtual servers, namely RealServer1, RealServer2 and RealServer3.
Question - I want to have a query that allows me to print on information such as the TotConn, Rx-pkts, Tx-pkts etc. for RealServer3
In this case, how can I refine my search such that when I apply multikv on the results, I am only applying it to RealServer3, and not to the rest of the virtual servers.
I tried to do a search e.g.
sourcetype=virtuallogs "Name: RealServer3" | multikv
But multikv in this case will also give me the results from RealServer1 and RealServer2 which is not what I wanted.
Thanks for any inputs again.
Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
AWU:await-unbind, AWD: await-shutdown
Name: RealServer1 State: Enabled IP:192.168.1.100: 1
Mac: Unknown Weight: 1/1 MaxConn: 2000000
SrcNAT: not-cfg, not-op DstNAT: not-cfg, not-op Serv-Rsts: 0
Port St Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
---- -- -- ------- ------- ------- ------- -------- -------- ----
default UNB 0 0 0 0 0 0 0 0
514 ENB 0 0 0 0 0 0 0 0
Server Total 0 0 0 0 0 0 0
Name: RealServer2 State: Enabled IP:192.168.1.101: 1
Mac: Unknown Weight: 1/1 MaxConn: 2000000
SrcNAT: not-cfg, not-op DstNAT: not-cfg, not-op Serv-Rsts: 0
Port St Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
---- -- -- ------- ------- ------- ------- -------- -------- ----
default UNB 0 0 0 0 0 0 0 0
514 ENB 0 0 0 0 0 0 0 0
Server Total 0 0 0 0 0 0 0
Name: RealServer3 State: Active IP:192.168.88.211: 1
Mac: 000c.29b8.6170 Weight: 1/1 MaxConn: 2000000
SrcNAT: not-cfg, not-op DstNAT: not-cfg, not-op Serv-Rsts: 0
Port St Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
---- -- -- ------- ------- ------- ------- -------- -------- ----
default UNB 0 0 0 0 0 0 0 0
http ACT 0 0 6 0 18 0 1164 0
Server Total 0 6 0 18 0 1164 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I have decided to break the events into several chunks.
First break would be the Real Servers Info component, and it goes something like this:
Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
AWU:await-unbind, AWD: await-shutdown
Second break onwards will be denoted by the Name: Realserver1, Name: Realserver2 etc.
Name: Realservr1 State: Active IP:192.168.88.215: 1
Mac: 000c.2957.46a5 Weight: 1/1 MaxConn: 2000000
SrcNAT: not-cfg, not-op DstNAT: not-cfg, not-op Serv-Rsts: 0
Port St Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
---- -- -- ------- ------- ------- ------- -------- -------- ----
default UNB 0 0 0 0 0 0 0 0
http FAL 0 0 0 0 0 0 0 0
Server Total 0 0 0 0 0 0 0
My props looks something like:
BREAK_ONLY_BEFORE = Name:
MUST_BREAK_AFTER = telnet@ServerIronADX 1000#
I think this is working, and I am able to multikv and report correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I have decided to break the events into several chunks.
First break would be the Real Servers Info component, and it goes something like this:
Real Servers Info
========================
State - ACT:active, ENB:enabled, FAL:failed, TST:test, SUS:suspect,
GDN:grace-dn, DIS:disabled, UNK:unknown, UNB:unbind,
AWU:await-unbind, AWD: await-shutdown
Second break onwards will be denoted by the Name: Realserver1, Name: Realserver2 etc.
Name: Realservr1 State: Active IP:192.168.88.215: 1
Mac: 000c.2957.46a5 Weight: 1/1 MaxConn: 2000000
SrcNAT: not-cfg, not-op DstNAT: not-cfg, not-op Serv-Rsts: 0
Port St Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
---- -- -- ------- ------- ------- ------- -------- -------- ----
default UNB 0 0 0 0 0 0 0 0
http FAL 0 0 0 0 0 0 0 0
Server Total 0 0 0 0 0 0 0
My props looks something like:
BREAK_ONLY_BEFORE = Name:
MUST_BREAK_AFTER = telnet@ServerIronADX 1000#
I think this is working, and I am able to multikv and report correctly.
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
