- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- MVINDEX not working well with SPACE separated valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MVINDEX not working well with SPACE separated values
Hello All,
For an event like this -
CPU uPct nPct sPct wPct iPct
all 0.63 0.00 0.38 0.00 98.99
0 0.00 0.00 0.00 0.00 100.00
1 1.00 0.00 0.00 0.00 99.00
2 0.00 0.00 0.00 0.00 100.00
3 0.00 0.00 0.00 0.00 100.00
I want to extract the iPct value for the all row. For some reason my split and mvindex commands are not working properly. This is what I have tried -
*<base search>*
| rex field=_raw "all(?<cpuUsage>.*)\\n"
| eval cpuFields = split(cpuUsage, " ")
| eval cpuIdle = mvindex(cpuFields,4)
| table _time, cpuIdle
The separation works fine, but may be I am doing something wrong with the mvindex? Please advise!
Thank you
M
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem might be that there are multiple spaces between the values.
Since you only want the last value on the line, this would be simpler.
*<base search>*
| rex field=_raw "all.*\s(?<cpuIdle>\S+)$"
...or if you wanted everything on the all line...
| rex "^(?<CPU>all)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
...or on all lines...
| rex "^(?<CPU>\S+)\s+(?<uPct>\S+)\s+(?<nPct>\S+)\s+(?<sPct>\S+)\s+(?<wPct>\S+)\s+(?<iPct>\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. A bit crude, but this worked for me -
| rex field=_raw "all(?:.*) (?<cpuIdle>([0-9]|\.)+)\\n"
It would still be interesting to find out why my SPLIT didn't work as expected!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what does cpuidle return for you?
i think maybe, you need to use -
| eval cpuIdle = mvindex(cpuFields,5) to get ipct values?
Can you please post a screen shot of what your CURRENT query returns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My cpuidle shows up blank.
_time cpuUsage cpuFields cpuIdle
2017-10-04 22:00:17 2.02 0.00 1.01 0.00 96.97 2.02
0.00
1.01
0.00
96.97
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
