Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I perform a field extraction and display it as a table that contains all the values from my search?

senthamilselvan
Engager
‎02-01-2018 12:25 PM

Hi Team,

Please find the below log sample. I want to extract from the line "program" till the end and display as a table which contains all the values as shown in the output..

REPLICATION LAG

Oracle GoldenGate Command Interpreter for DB2 Version 12.1.2.1.5 20635622 OGGCORE_12.1.2.1.0OGGBP_PLATFORMS_150320.0454
AIX 6, ppc, 64bit (optimized), DB2 10.5 on Apr 23 2015 00:58:12 Operating system character set identified as ISO-8859-1.

Copyright (C) 1995, 2015, Oracle and/or its affiliates. All rights reserved.

GGSCI (nc006qad02) 1> info all

Program     Status      Group       LagatChkpt  TimeSinceChkpt
MANAGER     RUNNING                                           
JAGENT      RUNNING                                           
REPLICAT    RUNNING     REPHG       00:00:00      00:00:05    
REPLICAT    RUNNING     REPRA       00:00:00      00:00:07    
REPLICAT    RUNNING     REPSD       00:00:00      00:00:00    
REPLICAT    STOPPED     RILAA       00:00:00      3489:18:54  
REPLICAT    STOPPED     RILQQ       00:00:00      3166:32:14  
REPLICAT    STOPPED     RILRA       00:00:00      3489:18:44  
REPLICAT    STOPPED     RILRH       00:00:00      3489:18:01  
REPLICAT    STOPPED     RILTT       00:00:00      3489:18:36  
REPLICAT    RUNNING     RPLXQ       00:00:00      00:00:04    
REPLICAT    ABENDED     RRAHG       2125:39:25    01:13:05    

output table will be: and the first line will be header of the table.

Program     Status      Group       LagatChkpt  TimeSinceChkpt
MANAGER     RUNNING                                           
JAGENT      RUNNING                                           
REPLICAT    RUNNING     REPHG       00:00:00      00:00:05    
REPLICAT    RUNNING     REPRA       00:00:00      00:00:07    
REPLICAT    RUNNING     REPSD       00:00:00      00:00:00    
REPLICAT    STOPPED     RILAA       00:00:00      3489:18:54  
REPLICAT    STOPPED     RILQQ       00:00:00      3166:32:14  
REPLICAT    STOPPED     RILRA       00:00:00      3489:18:44  
REPLICAT    STOPPED     RILRH       00:00:00      3489:18:01  
REPLICAT    STOPPED     RILTT       00:00:00      3489:18:36  
REPLICAT    RUNNING     RPLXQ       00:00:00      00:00:04    
REPLICAT    ABENDED     RRAHG       2125:39:25    01:13:05
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2018 05:51 AM

If you can treat all of the lines as a single event then the multikv command should help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-01-2018 01:15 PM

Does all those lines part of single event?

0 Karma
Reply

senthamilselvan
Engager
‎02-01-2018 11:38 PM

we can consider as single event or we can break into multiple as well. Because that is sample file am going to index

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...