Getting Data In

Extracting or breaking values out of a _raw line for better visualisation/monitoring

lemikg
Communicator

Hi everybody,

I am just getting started "splunking" and have done the tutorial so far, However, for my next report I want to query values from sourcetype="interfaces" and field _raw, which has several data sets. This is what I got:

Name MAC inetAddr Collisions RXbytes TXbytes Speed Duplex bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51xxxx98 720xx11409   em1 E0:xx:56:xx:xx:84   0 41102617 7203522xx1 1000Mb/s full em2 E0:xx:56:xx:xx:84   0 998xx07 0 1000Mb/s full

I want to be able to extract the fields and the associated values in order to table them accordingly.

1/30/13
4:13:19.000 PM

Name MAC inetAddr inet6Addr Collisions RXbytes TXbytes Speed Duplex
bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51080098 7203511409

em1 E0:xx:56:xx:xx:84 0 41102617 7203522971 1000Mb/s full

em2 E0:xx:56:xx:xx:84 0 9981407 0 1000Mb/s full

I tried field extraction (propably not quite right) due to the restrictions I get as soon as there are more than one MAC Address.

I hope I was able to describe the problem. Could anyone point me at the right direction?
I appreciate your help.

Best regards from Germany,

Mike

Tags (1)
0 Karma
1 Solution

lemikg
Communicator

I think I just found the answer

sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes 

Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)

View solution in original post

0 Karma

lemikg
Communicator

I think I just found the answer

sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes 

Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...