I'm trying to extract data from events which contain a table:
RAW Data Table
# | INST_ID | STATISTIC | VALUE
1 | 1 | DDL Initiated | 3786
2 | 1 | DDL Initiated (IPQ) | 0
3 | 1 | DFO Trees | 24036
4 | 1 | DML Initiated | 0
5 | 1 | DML Initiated (IPQ) | 0
6 | 1 | Distr Msgs Recv'd | 0
multikv.conf
[ops_db_ora_mkv]
header.linecount = 1
header.start_offset = 1
header.tokens = _tokenize_, -1,"|"
body.start_offset=2
body.tokens = _tokenize_, 0,"|"
Search String
.... | multikv conf=ops_db_ora_mkv fields STATISTIC | eval s=if(isnull(STATISTIC),"isnull",STATISTIC)
Result
Field Value
VALUE 3786
INST_ID 1
# 1
STATISTIC DDL Initiated
linecount 1
s isnull
The field STATISTIC, like the other fields, contains a value, but if I use it somewhere it is NULL, do I need another syntax to access this fields?
I cannot tell you exactly what is wrong but I do not think that you need to be using multikv.conf
because you can tell splunk how to figure all that out by using the forceheader=1
directive. Try this run-anywhere example as a starting point and merge it with your actual events:
|noop|stats count AS _raw|eval _raw=" # | INST_ID | STATISTIC | VALUE
1 | 1 | DDL Initiated | 3786
2 | 1 | DDL Initiated (IPQ) | 0
3 | 1 | DFO Trees | 24036
4 | 1 | DML Initiated | 0
5 | 1 | DML Initiated (IPQ) | 0
6 | 1 | Distr Msgs Recv'd | 0"
| multikv forceheader=1
| fields STATISTIC | eval s=if(isnull(STATISTIC),"isnull",STATISTIC)
Can you show an example of the search that is giving you NULL values?
Its Just a simple search to select from one index:
index=xx_indexname_xx source="xx_source_xx" host=xx_host_xx | multikv conf=ops_db_ora_mkv fields STATISTIC | eval s=if(isnull(STATISTIC),"isnull",STATISTIC) | eval s1=mvindex(STATISTIC,1)