Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Extracting or breaking values out of a _raw li...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lemikg
Communicator
01-30-2013
07:56 AM
Hi everybody,
I am just getting started "splunking" and have done the tutorial so far, However, for my next report I want to query values from sourcetype="interfaces" and field _raw, which has several data sets. This is what I got:
Name MAC inetAddr Collisions RXbytes TXbytes Speed Duplex bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51xxxx98 720xx11409 em1 E0:xx:56:xx:xx:84 0 41102617 7203522xx1 1000Mb/s full em2 E0:xx:56:xx:xx:84 0 998xx07 0 1000Mb/s full I want to be able to extract the fields and the associated values in order to table them accordingly.
1/30/13
4:13:19.000 PM
Name MAC inetAddr inet6Addr Collisions RXbytes TXbytes Speed Duplex
bond0 E0:xx:56:xx:xx:84 19x.1xx.1xx.xx fe80::e2xx:xxff:fexx:6fxx/xx 0 51080098 7203511409
em1 E0:xx:56:xx:xx:84 0 41102617 7203522971 1000Mb/s full
em2 E0:xx:56:xx:xx:84 0 9981407 0 1000Mb/s full I tried field extraction (propably not quite right) due to the restrictions I get as soon as there are more than one MAC Address.
I hope I was able to describe the problem. Could anyone point me at the right direction?
I appreciate your help.
Best regards from Germany,
Mike
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lemikg
Communicator
01-30-2013
08:20 AM
I think I just found the answer
sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lemikg
Communicator
01-30-2013
08:20 AM
I think I just found the answer
sourcetype=interfaces | multikv | table host bond0 em1 em2 inetAddr Collision RXbytes TXbytes Also thanks to the provided video on Youtube Quick Tip: Making Sense of Tabular Data (multikv)
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
