Splunk Search

How to extract multivalue fields in Splunk and the events in tabular format?

Shashank_87
Explorer

Hi, I have one OS index in Splunk where i get the raw data in a tabular format like below. Now I need to extract these fields like PID and that too only for the "java" COMMAND.

PID  USER              PR    NI    VIRT     RES     SHR   S  pctCPU  pctMEM       cpuTIME  COMMAND
  7195  user              20     0   1361m     74m     15m   S    25.1     0.3      57:32.41  oneagentos
  7240  api               20     0   14.1g    1.9g     35m   S     5.8     8.1      62:42.81  java
  9717  api               20     0   14.1g    1.8g     35m   S     3.9     7.8      61:00.56  java
  3882  user1              20     0   1530m     34m    8584   S     1.9     0.1     212:28.61  python

I would need this data in a lookup because I need to ingest it into another instance of Splunk to compare the charts.
Can someone help me extracting these fields and how can i export those to another Splunk?

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

On your 1st instance, you could do something like this to extract pids to a file.

    index=os | rex field=_raw  " ^(?<java_pid>\d+)\s.*java$"| table java_pid | eval status ="java" | fields java_pid, status | outputlookup java_pid_status.csv

On the second instance, you can then use this lookup to compare

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

On your 1st instance, you could do something like this to extract pids to a file.

    index=os | rex field=_raw  " ^(?<java_pid>\d+)\s.*java$"| table java_pid | eval status ="java" | fields java_pid, status | outputlookup java_pid_status.csv

On the second instance, you can then use this lookup to compare

0 Karma

Shashank_87
Explorer

Hi, I dont think this rex is correct as it is not working.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

could you pls check now and also review/amend as needed for your event - https://regex101.com/r/lcAZF0/2

0 Karma

Shashank_87
Explorer

It worked thanks.

0 Karma

landen99
Motivator

Use multikv:

| stats count | eval _raw="PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND
7195 user 20 0 1361m 74m 15m S 25.1 0.3 57:32.41 oneagentos
7240 api 20 0 14.1g 1.9g 35m S 5.8 8.1 62:42.81 java
9717 api 20 0 14.1g 1.8g 35m S 3.9 7.8 61:00.56 java
3882 user1 20 0 1530m 34m 8584 S 1.9 0.1 212:28.61 python" | table _raw
| multikv

For your example:

index=os | multikv | outputlookup yourlookup.csv
0 Karma

Shashank_87
Explorer

Hi Landen, Thanks for your response.
Using this I am not able to see _time field. So basically my ultimate goal is to plot 2 charts (line graphs) in same splunk. Now the 2nd chart will consist of this index=os data. So i was thinking of exporting the PID and time values from this splunk to other splunk and then plot the chart against time.
Does this make sense?

0 Karma

landen99
Motivator

The SPL posted was just an example to show the command "multikv" in action. For your data, your SPL would probably like this:

index=os | multikv
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...