All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multikv extraction fails when table contains empty fields

brettw10
Explorer
‎07-16-2013 11:43 PM

Hi,

I am trying to use multikv to parse the output of df.sh, which is part of the *nix application. On Solaris, the output of df.sh looks like this:

Filesystem                                          Type              Size        Used       Avail      UsePct    MountedOn
/dev/md/dsk/d15                                     ufs               9.6G        3.8G        5.7G         40%    /
sharefs                                             sharefs             0K          0K          0K          0%    /etc/dfs/sharetab
10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01                    1.5T        1.3T        214G         86%    /logpool/logs/archive_global

Using multikv against this table results in the following mapping for the last line (NFS mount), due to an empty/null entry for Type:

Filesystem: 10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01
Type: 1.5T
Size: 1.3T
Used: 214G
Avail: 86%
UsePct: /logpool/logs/archive_global
MountedOn: <null>

All other rows extract correctly, given that they have a value for Type.

So, how can I get multikv to extract the fields correctly for all rows?

Regards,
Brett.

Reply

stanwin
Contributor
‎08-03-2015 03:29 AM

Hi

Is there any workaround in multikv.conf, column with missing values are being assigned values from next header with values..

Subsystem/Job User Number User Type Pool Pty CPU Int Rsp AuxIO CPU% Function Status Threads
JDENET_K ONEWORLD 01267 ONEWORLD BCI 8 20 15884.2 1 1.9 jvmStart DEQW 33
QSRVERR QUSER 00129 ONEWORLD PJ 2 20 18277.8 3832 .9 CNDW 1

Int & Rsp are blank & get values of AuxIO & CPU% respectively

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-17-2013 11:11 AM

This looks like a bug in df.sh on Solaris. What specific version of Solaris? Let us know and we will try to fix.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎07-21-2013 09:42 PM

Thanks, I have filed NIX-317 and will update you when I have more information on the fix. It seems like we can just put "null" in the type column when we aren't able to discern the fs type.

0 Karma
Reply

brettw10
Explorer
‎07-17-2013 06:44 PM

And df.sh:

% df.sh
Filesystem Type Size Used Avail UsePct MountedOn
/dev/md/dsk/d15 ufs 9.6G 3.8G 5.7G 41% /
10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01 1.5T 1.3T 205G 87% /logpool/logs/archive_global

0 Karma
Reply

brettw10
Explorer
‎07-17-2013 06:43 PM

Solaris 10. Here is some (edited) output, due to the character limit of replies.

% df -n
/ : ufs
/logpool/logs/archive_global: nfs

% df -h
Filesystem size used avail capacity Mounted on
/dev/md/dsk/d15 9.6G 3.8G 5.7G 41% /
10.173.22.82:/vol/vf_slog_lons01_logs_vol01/archive_q01
1.5T 1.3T 205G 87% /logpool/logs/archive_global

If I can ever get this site to let me post the full output, I will.

Rgds,
Brett.

0 Karma
Reply

linu1988
Champion
‎07-17-2013 06:08 AM

Could you please post the search query used? I have checked multikv was working ...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...