Splunk Search

How multivalue of field can be extracted in the below mentioned event , all the events are in the same format, any solution/query ?

Rakesh_597
Engager

Filesystem Type Size Used Avail UsePct MountedOn
/dev/mapper/rootvg-rootlv ext3 6.0G 4.3G 1.4G 77% /
/dev/sda1 ext3 194M 78M 107M 43% /boot
/dev/mapper/rootvg-home_lv ext3 2.0G 528M 1.4G 28% /local_home
/dev/mapper/rootvg-opt_lv ext3 6.0G 1.2G 4.5G 21% /opt
/dev/mapper/rootvg-tmp_lv ext3 2.0G 230M 1.7G 13% /tmp
/dev/mapper/rootvg-usr_lv ext3 2.0G 116M 1.8G 7% /usr/local
/dev/mapper/rootvg-var_lv ext3 4.0G 1.4G 2.4G 37% /var
/dev/mapper/rootvg-history_lv ext3 2.0G 68M 1.9G 4% /history_logs
/dev/mapper/rootvg-itm_lv ext3 3.0G 608M 2.3G 22% /opt/IBM/ITM
/dev/mapper/appvg-apps_lv ext3 32G 177M 30G 1% /apps
/dev/mapper/appvg-usr_apigee_lv ext3 197G 485M 187G 1% /usr/apigee
/dev/mapper/appvg-apilogs_lv ext3 20G 173M 19G 1% /apilogs
/dev/mapper/appvg-Introscope_lv ext3 3.0G 69M 2.8G 3% /Introscope
/dev/mapper/rootvg-venafi_lv ext4 976M 1.3M 924M 1% /venafi
/dev/mapper/appvg-opt_apigee_lv ext4 197G 8.9G 178G 5% /opt/apigee

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults
| eval _raw="Filesystem,Type,Size,Used,Avail,UsePct,MountedOn
/dev/mapper/rootvg-rootlv,ext3,6.0G,4.3G,1.4G,77%,/
/dev/sda1,ext3,194M,78M,107M,43%,/boot
/dev/mapper/rootvg-home_lv,ext3,2.0G,528M,1.4G,28%,/local_home
/dev/mapper/rootvg-opt_lv,ext3,6.0G,1.2G,4.5G,21%,/opt
/dev/mapper/rootvg-tmp_lv,ext3,2.0G,230M,1.7G,13%,/tmp
/dev/mapper/rootvg-usr_lv,ext3,2.0G,116M,1.8G,7%,/usr/local
/dev/mapper/rootvg-var_lv,ext3,4.0G,1.4G,2.4G,37%,/var
/dev/mapper/rootvg-history_lv,ext3,2.0G,68M,1.9G,4%,/history_logs
/dev/mapper/rootvg-itm_lv,ext3,3.0G,608M,2.3G,22%,/opt/IBM/ITM
/dev/mapper/appvg-apps_lv,ext3,32G,177M,30G,1%,/apps
/dev/mapper/appvg-usr_apigee_lv,ext3,197G,485M,187G,1%,/usr/apigee
/dev/mapper/appvg-apilogs_lv,ext3,20G,173M,19G,1%,/apilogs
/dev/mapper/appvg-Introscope_lv,ext3,3.0G,69M,2.8G,3%,/Introscope
/dev/mapper/rootvg-venafi_lv,ext4,976M,1.3M,924M,1%,/venafi
/dev/mapper/appvg-opt_apigee_lv,ext4,197G,8.9G,178G,5%,/opt/apigee"
| multikv forceheader=1
| table Filesystem,Type,Size,Used,Avail,UsePct,MountedOn

Multiple values?
Do you mean you want to summarize by type?

View solution in original post

0 Karma

woodcock
Esteemed Legend

That is the whole point of multikv:

|makeresults | eval _raw="Filesystem                      Type Size Used Avail UsePct MountedOn
/dev/mapper/rootvg-rootlv       ext3 6.0G 4.3G  1.4G    77% /
/dev/sda1                       ext3 194M  78M  107M    43% /boot
/dev/mapper/rootvg-home_lv      ext3 2.0G 528M  1.4G    28% /local_home
/dev/mapper/rootvg-opt_lv       ext3 6.0G 1.2G  4.5G    21% /opt
/dev/mapper/rootvg-tmp_lv       ext3 2.0G 230M  1.7G    13% /tmp
/dev/mapper/rootvg-usr_lv       ext3 2.0G 116M  1.8G     7% /usr/local
/dev/mapper/rootvg-var_lv       ext3 4.0G 1.4G  2.4G    37% /var
/dev/mapper/rootvg-history_lv   ext3 2.0G  68M  1.9G     4% /history_logs
/dev/mapper/rootvg-itm_lv       ext3 3.0G 608M  2.3G    22% /opt/IBM/ITM
/dev/mapper/appvg-apps_lv       ext3  32G 177M   30G     1% /apps
/dev/mapper/appvg-usr_apigee_lv ext3 197G 485M  187G     1% /usr/apigee
/dev/mapper/appvg-apilogs_lv    ext3  20G 173M   19G     1% /apilogs
/dev/mapper/appvg-Introscope_lv ext3 3.0G  69M  2.8G     3% /Introscope
/dev/mapper/rootvg-venafi_lv    ext4 976M 1.3M  924M     1% /venafi
/dev/mapper/appvg-opt_apigee_lv ext4 197G 8.9G  178G     5% /opt/apigee"
| multikv forceheader=1 copyattrs=t
0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="Filesystem,Type,Size,Used,Avail,UsePct,MountedOn
/dev/mapper/rootvg-rootlv,ext3,6.0G,4.3G,1.4G,77%,/
/dev/sda1,ext3,194M,78M,107M,43%,/boot
/dev/mapper/rootvg-home_lv,ext3,2.0G,528M,1.4G,28%,/local_home
/dev/mapper/rootvg-opt_lv,ext3,6.0G,1.2G,4.5G,21%,/opt
/dev/mapper/rootvg-tmp_lv,ext3,2.0G,230M,1.7G,13%,/tmp
/dev/mapper/rootvg-usr_lv,ext3,2.0G,116M,1.8G,7%,/usr/local
/dev/mapper/rootvg-var_lv,ext3,4.0G,1.4G,2.4G,37%,/var
/dev/mapper/rootvg-history_lv,ext3,2.0G,68M,1.9G,4%,/history_logs
/dev/mapper/rootvg-itm_lv,ext3,3.0G,608M,2.3G,22%,/opt/IBM/ITM
/dev/mapper/appvg-apps_lv,ext3,32G,177M,30G,1%,/apps
/dev/mapper/appvg-usr_apigee_lv,ext3,197G,485M,187G,1%,/usr/apigee
/dev/mapper/appvg-apilogs_lv,ext3,20G,173M,19G,1%,/apilogs
/dev/mapper/appvg-Introscope_lv,ext3,3.0G,69M,2.8G,3%,/Introscope
/dev/mapper/rootvg-venafi_lv,ext4,976M,1.3M,924M,1%,/venafi
/dev/mapper/appvg-opt_apigee_lv,ext4,197G,8.9G,178G,5%,/opt/apigee"
| multikv forceheader=1
| table Filesystem,Type,Size,Used,Avail,UsePct,MountedOn

Multiple values?
Do you mean you want to summarize by type?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...