Re: Building KV Pairs

Andrew_Banman · ‎08-21-2012

Hi folks,

I am trying to build KV pairs from some UNIX command output. The log entries look like the output below. In this case I would like to build keys from the headers (%usr, %sys, %wio, %idel) and values for each from the values shown (2, 5, 0, 93). I will then graph multiple entries over time. While the preview here shows this all in a line, the log is a preformatted table.

HP-UX van-sama B.11.31 U ia64 08/21/12
12:49:47 %usr %sys %wio %idle
12:49:48 2 5 0 93

The likely search function seems to be "extract(kv)" but I am unclear on how to go about this and the examples in the docs seem weak.

Can anyone put me on the right track?

Thanks 🙂

Andrew_Banman · ‎08-23-2012

Good idea but it still failes. Thanks for the help. Multikv seems the answer but doesn't do what we expect it too. Not sure why! Thanks again for the ideas 🙂

_d_ · ‎08-23-2012

Multikv will replace non alphanumeric chars with underscore.
See if this does the trick:

... | multikv fields _usr _sys _wio _idle

d.

Andrew_Banman · ‎08-23-2012

Thanks for your responce but this doesn't seem to work. No change in the results I get at all. I wonder if it could be the % characters. It certainly doesn't build KV pairs as I would expect it to.

Any other thoughts anyone?

MarioM · ‎08-21-2012

Multikv seems more appropriate than extract in your case:

... | multikv fields %usr %sys %wio %idle

Building KV Pairs

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?