Splunk Search

Multiline table processing

clyde772
Communicator

How can I process tables like below where Data is spread across multiple lines. and Top start set defines Field name and a data set starts with "0 CP1_LS" and the next set beibg "1 CP1_LS" and so on. This by the way is a data-set that gets produced every 30 min.

    TABLE LABEL : 

          KEY (C7_LINKSET_NUMBER)
          INFO (C7LINK_OMINFO)
             C7MSUTX   C7MSUTX2    C7MSURX   C7MSURX2    C7BYTTX   C7BYTTX2
             C7BYTRX   C7BYTRX2    C7BYTRT   C7BYTRT2   C7MSUDSC   C7ONSET1
            C7ONSET2   C7ONSET3   C7ONSETV   C7ABATE1   C7ABATE2   C7ABATE3
            C7ABATEV   C7MSUDC1   C7MSUDC2   C7MSUDC3    C7STRET   C7MSBRET
            C7MSGLOS   C7MSGMSQ    C7MSUOR   C7MSUOR2    C7MSUTE   C7MSUTE2
             C7MSUTS   C7MSUTS2

       0 CP1_LS
          0
                4582          0       3493          0       1783          1
               16130          1          0          0          0          0
                   0          0          0          0          0          0
                   0          0          0          0          2          2
                   0          0       4583          0       3492          0
                   0          0

       1 CP1_LS
          1
                4800          0       3525          0       7121          1
               17754          1          0          0          0          0
                   0          0          0          0          0          0
                   0          0          0          0          2          2
                   0          0       4800          0       3524          0
                   0          0

       2 CP6_LS
          0
                5760          0       4890          0       1088          2
               15420          1          0          0          0          0
                   0          0          0          0          0          0
                   0          0          0          0          2          2
                   0          0       5762          0       4889          0
                   0          0

       3 CP2_LS
          0
                7367          0       5320          0      31485          2
               58433          1          0          0          0          0
                   0          0          0          0          0          0
                   0          0          0          0          2          2
                   0          0       7366          0       5324          0
                   0          0

So from the above data set, I want to be able to timechart "C7BYTTX" by "CP6_LS" element.

0 Karma

clyde772
Communicator

Lowell,

Thanks, your are right multikv may be the place to start, wihch give me an idea to make it work for multikv. Reformating it, so it's multikv friendly

KEY(C7_LINKSET_NUMBER) INFO(C7LINK_OMINFO) C7MSUTX C7MSUTX2 C7MSURX C7MSURX2 C7BYTTX C7BYTTX2 C7BYTRX C7BYTRX2 C7BYTRT C7BYTRT2 C7MSUDSC C7ONSET1 C7ONSET2 C7ONSET3 C7ONSETV C7ABATE1 C7ABATE2 C7ABATE3 C7ABATEV C7MSUDC1 C7MSUDC2 C7MSUDC3 C7STRET C7MSBRET C7MSGLOS C7MSGMSQ C7MSUOR C7MSUOR2 C7MSUTE C7MSUTE2 C7MSUTS C7MSUTS2 0

CP1_LS 0 4582 0 3493 0 1783 1 16130 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 4583 0 3492 0 0 0 1

CP1_LS 1 4800 0 3525 0 7121 1 17754 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 4800 0 3524 0 0 0

Like that and do multikv.

0 Karma

Lowell
Super Champion

Any luck with mulitkv? I think this seems to complicated, but that's probably the best place to start.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...