Below is a single event that I indexed. I am trying to multikv this, but just the way it is, i couldn't.
Because of the time stamp line that are not the part of the table.
2011-06-20 13:19:00 HOST=172.23.15.5 EVENT_TYPE=CISCO_IF_ERR_INOUT
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
Fa0/1 1 0 0 10906 0
Fa0/3 0 0 0 10 0
Fa0/6 62993 2 0 79700 0
Fa0/8 0 0 0 11598 0
Fa0/10 1 0 0 12 0
Fa0/11 0 0 0 4 0
Fa0/33 0 0 0 170 0
Fa0/35 0 0 0 2 0
Fa0/48 0 0 0 2 0
So, I did the following search to get rid of the first line,
index="hy-net-err-if" EVENT_TYPE="CISCO_IF_ERR_INOUT" | rex mode=sed "s/\d+\-\d+\-\d+\s+.*//g"
The result came out to be like below, which I got rid of the first line that gets in the way of doing multikv.
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
Fa0/1 1 0 0 10906 0
Fa0/3 0 0 0 10 0
Fa0/6 62993 2 0 79700 0
Fa0/8 0 0 0 11598 0
Fa0/10 1 0 0 12 0
Fa0/11 0 0 0 4 0
Fa0/33 0 0 0 170 0
Fa0/35 0 0 0 2 0
Fa0/48 0 0 0 2 0
But still when I do a multikv, it kind of worked, but not totally. That means it work 1 out of 20 tries.
What am I doing wrong? if not multikv, what would be the command to split the events into single lilne so I can apply
fields extraction rule per line?
Appreciate your help.
