Getting Data In

Need help with Props and Transforms

mridus
New Member

Hi,
I have written a script whose output is:

It is well formatted (arranged in columns although the formatting is not visible here in this post)

Type                PerSecond       PerTransaction          PerExec         PerCall
DB Time(s):         0.7             30.1                    0.49            2.75
DB CPU(s):          0.1             3.5                     0.06            0.32
Redo size:          1,365.6         55,655.8                0.00            0.00
Logical reads:      2,483.3         101,208.4               0.00            0.00
Block changes:      3.3             132.7                   0.00            0.00
Physical reads:     2,436.6         99,305.7                0.00            0.00
Physical writes:    0.6             24.9                    0.00            0.00
User calls:         0.3             11.0                    0.00            0.00
Parses:             1.2             48.7                    0.00            0.00
Hard parses:        0.0             0.6                     0.00            0.00
W/A MB processed:   0.0             1.8                     0.00            0.00
Logons:             0.0             1.1                     0.00            0.00
Executes:           1.5             61.9                    0.00            0.00
Rollbacks:          0.0             0.4                     0.00            0.00
Transactions:       0.0             0.00                    0.00            0.00

My props.conf looks like:

[Load_Profile]  
BREAK_ONLY_BEFORE=Type  
MAX_EVENTS=16  
NO_BINARY_CHECK=1  
SHOULD_LINEMERGE=true  

After the data is Splunked, when I multikv, it does not seem to work. What could be the problem here?

I have also tried having the scripted output without the headers:

DB Time(s):         0.7             30.1                    0.49            2.75
DB CPU(s):          0.1             3.5                     0.06            0.32
Redo size:          1,365.6         55,655.8                0.00            0.00
Logical reads:      2,483.3         101,208.4               0.00            0.00
Block changes:      3.3             132.7                   0.00            0.00
Physical reads:     2,436.6         99,305.7                0.00            0.00
Physical writes:    0.6             24.9                    0.00            0.00
User calls:         0.3             11.0                    0.00            0.00
Parses:             1.2             48.7                    0.00            0.00
Hard parses:        0.0             0.6                     0.00            0.00
W/A MB processed:   0.0             1.8                     0.00            0.00
Logons:             0.0             1.1                     0.00            0.00
Executes:           1.5             61.9                    0.00            0.00
Rollbacks:          0.0             0.4                     0.00            0.00
Transactions:       0.0             0.00                    0.00            0.00

props.conf:

[Load_Profile]  
SHOULD_LINEMERGE = false  
LINE_BREAKER = ^()$  
TRUNCATE = 1000000  
DATETIME_CONFIG = CURRENT  
REPORT-fields_for_load_profiles_sh = fields_for_load_profiles_sh 

transforms.conf:

[fields_for_load_profiles_sh]  
REGEX = ([A-Za-z\s\(\)\/]+)\:*\s+(\d*\,*\d*\.*\d*)\s+(\d*\,*\d*\.*\d*)\s+(\d*\,*\d*\.*\d*)\s+(\d*\,*\d*\.*\d*)  
FORMAT = Type::$1 PerSecond::$2 PerTransaction::$3 PerExec::$4 PerCall::$5 

This does not seem to work either. Can somebody help?

0 Karma
1 Solution

lguinn2
Legend

I would use the following props.conf stanza:

[Load_Profile]  
BREAK_ONLY_BEFORE=Type  
SHOULD_LINEMERGE=true
DATETIME_CONFIG = CURRENT

Keep the header line, and multikv will use it to create the fields. You should not need the transforms.conf at all.
You might try multikv forceheader=1 to see if that picks up the header.

Another idea - I see that the output is very nicely formatted in columns - but is it formatted consistently for each line? I think Splunk might do better if there was always a single tab between columns, even though that would not look nice as a printed output. If some rows in the table have differing numbers of spaces and/or tabls, I don't know if Splunk will be able to properly extract the fields.

View solution in original post

0 Karma

lguinn2
Legend

I would use the following props.conf stanza:

[Load_Profile]  
BREAK_ONLY_BEFORE=Type  
SHOULD_LINEMERGE=true
DATETIME_CONFIG = CURRENT

Keep the header line, and multikv will use it to create the fields. You should not need the transforms.conf at all.
You might try multikv forceheader=1 to see if that picks up the header.

Another idea - I see that the output is very nicely formatted in columns - but is it formatted consistently for each line? I think Splunk might do better if there was always a single tab between columns, even though that would not look nice as a printed output. If some rows in the table have differing numbers of spaces and/or tabls, I don't know if Splunk will be able to properly extract the fields.

0 Karma

mridus
New Member

You are right about the output looking nicely formed. I had more than 1 tab space between columns. Once I reduced it to just 1 tab, the multikv worked without forceheader=1. Thanks for the help

0 Karma

mridus
New Member

Hi,
Thanks. I have already done multikv forceheader=1 but I see that the values of the keys are followed by spaces. So currently I am doing "convert rmunit" to convert the numbers to be used with "stat avg".
Any idea why the spaces are included in the values? Can they be avoided? I don't want to be changing all the strings to numbers for every arithmetic function I use.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...