Splunk Search

Help needed to get key-value pairs from a tabular data file

msarro
Builder

Hey everyone. This is my first time working with data like this, so I'm a little bit lost. Here is a sample:

System Time: 14:16:39 UTC - WED AUG 21 2013
14:16:40-36
                   ----- Inbound -----  ---- Outbound ----- -- Latency --  Max 
Session Agents     Active  Rate  ConEx  Active  Rate  ConEx    Avg    Max Burst
s01-02.mydomain.net
                  I     0   0.0      0       0   0.0      3  0.056  0.086     1
s01-03.mydomain.net
                  I   847   7.4      0     784  12.6     16  0.045  0.343    34
s03-01a.mydomain.net
                  I     0   0.0      0       0   0.0      1  0.000  0.000     0
s03-02.mydomain.net
                  I     1   0.0      0       0   0.0      0  0.055  0.056     0
s03-02a.mydomain.net
                  I     0   0.0      0       0   0.0      1  0.055  0.055     0
s03-03.mydomain.net
                  I   529   3.9      0     524   6.8      4  0.037  0.181    30
s05-01.mydomain.net
                  I   603   3.7      0     605   7.2      4  0.031  0.087    32
s05-02.mydomain.net
                  I     0   0.0      0       0   0.0      3  0.054  0.055     0

What I am ultimately looking for is to break each value out into its own key-value pair, by host (so basically keep the time, and end up with a session agent field, an inbound-active field, an inbound-rate field, an inbound conex field, an outbound active field, an outbound rate field, an outbound conex field, a latency avg field, a latency max field, and a max burst field, for each host).

This can be done at search time (there won't be that many occurrences of this data). From there I'll put it in a summary index. I just can't quite get the built in commands to work correctly. Multikv doesn't seem to pull any of the values, and neither does extract. Any pointers would be very helpful, I think I may have jumped into the deep end with this particular input for my first time using non-csv data.

Tags (2)
0 Karma

sowings
Splunk Employee
Splunk Employee

I would look at the logic embedded in the Unix application's treatment of 'ps'. You're going to want 'multikv', I think.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...