Hi everybody,
I am just getting started "splunking" and have done the tutorial so far, However, for my next report I want to query values from sourcetype="interfaces"
and field _raw
, which has several data sets. This is what I got:
Name MAC inetAddr Collisions RXbytes TXbytes Speed Duplex bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51xxxx98 720xx11409 em1 E0:xx:56:xx:xx:84 0 41102617 7203522xx1 1000Mb/s full em2 E0:xx:56:xx:xx:84 0 998xx07 0 1000Mb/s full
I want to be able to extract the fields and the associated values in order to table them accordingly.
1/30/13
4:13:19.000 PM
Name MAC inetAddr inet6Addr Collisions RXbytes TXbytes Speed Duplex
bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51080098 7203511409
em1 E0:xx:56:xx:xx:84 0 41102617 7203522971 1000Mb/s full
em2 E0:xx:56:xx:xx:84 0 9981407 0 1000Mb/s full
I hope I was able to describe the problem. Could anyone point me at the right direction?
I appreciate your help.
Best regards from Germany,
Mike
I think I just found the answer
sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes
Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)
I think I just found the answer
sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes
Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)