Hi Splunkies,
another question by me... I run a script every 15 min which counts DFS connections on different servers. the output of this script looks pretty much this way in the search app using source="dfs_connections" searchstring.
DFSConnection_ServerA=2658
DFSConnection_ServerB=1554
DFSConnection_ServerC=1217
DFSConnection_ServerD=242
DFSConnection_ServerE=680
DFSConnection_ServerF=639
...
If i copy the text and paste it here, it will look like
DFSConnection_ServerA=2658DFSConnection_ServerB=1554DFSConnection_ServerC=1217DFSConnection_ServerD=242DFSConnection_ServerE=680DFSConnection_ServerF=639 ...
I realize that the values aren't splitted... I try to create a timechart (linechart) that shows the dfs connection (each 15 min) for each Server. So I can see peeks during the week.
How can I seperate the Values, so splunk knows, that each ServerX=1234 line is a single value?
I hope you understand my problem and you can give me a hint!
Thanks in advance!
Jan
To fix the issue at the origin:
You can change your script to add a line break at the end of each output.
or in the sourcetype of your script add : SHOULD_LINEMERGE=false
To fix it at search time,
try to reformat your event, and force a key value extraction
mysearch | rex mode=sed "s/DFSConnection/ DFSConnection/g" | extract pairdelim=" " kvdelim="="
see http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Extract