Hi, I have one OS index in Splunk where i get the raw data in a tabular format like below. Now I need to extract these fields like PID and that too only for the "java" COMMAND.
PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND
7195 user 20 0 1361m 74m 15m S 25.1 0.3 57:32.41 oneagentos
7240 api 20 0 14.1g 1.9g 35m S 5.8 8.1 62:42.81 java
9717 api 20 0 14.1g 1.8g 35m S 3.9 7.8 61:00.56 java
3882 user1 20 0 1530m 34m 8584 S 1.9 0.1 212:28.61 python
I would need this data in a lookup because I need to ingest it into another instance of Splunk to compare the charts.
Can someone help me extracting these fields and how can i export those to another Splunk?
On your 1st instance, you could do something like this to extract pids to a file.
index=os | rex field=_raw " ^(?<java_pid>\d+)\s.*java$"| table java_pid | eval status ="java" | fields java_pid, status | outputlookup java_pid_status.csv
On the second instance, you can then use this lookup to compare
On your 1st instance, you could do something like this to extract pids to a file.
index=os | rex field=_raw " ^(?<java_pid>\d+)\s.*java$"| table java_pid | eval status ="java" | fields java_pid, status | outputlookup java_pid_status.csv
On the second instance, you can then use this lookup to compare
Hi, I dont think this rex is correct as it is not working.
could you pls check now and also review/amend as needed for your event - https://regex101.com/r/lcAZF0/2
It worked thanks.
Use multikv:
| stats count | eval _raw="PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND
7195 user 20 0 1361m 74m 15m S 25.1 0.3 57:32.41 oneagentos
7240 api 20 0 14.1g 1.9g 35m S 5.8 8.1 62:42.81 java
9717 api 20 0 14.1g 1.8g 35m S 3.9 7.8 61:00.56 java
3882 user1 20 0 1530m 34m 8584 S 1.9 0.1 212:28.61 python" | table _raw
| multikv
For your example:
index=os | multikv | outputlookup yourlookup.csv
Hi Landen, Thanks for your response.
Using this I am not able to see _time field. So basically my ultimate goal is to plot 2 charts (line graphs) in same splunk. Now the 2nd chart will consist of this index=os data. So i was thinking of exporting the PID and time values from this splunk to other splunk and then plot the chart against time.
Does this make sense?
The SPL posted was just an example to show the command "multikv" in action. For your data, your SPL would probably like this:
index=os | multikv