Multikv extraction - Tables within a table?

Question

Hi Splunkers,

So I'm getting started with multikv extractions, and I've come across this issue. I'm attempting to generate a report (based on the output of Solarwinds) that will graph the average number of concurrent connections per virtual server on a specific physical ESX server. The log format is as follows:

Virtual Server Concurrent Connections    
LAST 3 MONTHS 
PSRV-0001    
DATE / TIME VS-0001 VS-0002     VS-0003     VS-0004 
29-Apr-11   0       0.142857143 0           0 
6-May-11    0       0.285714286 0           0 
13-May-11   0       0           0           0 
20-May-11   0       0           0           0 
27-May-11   0       0           0           0 
3-Jun-11    0       0           0           0 
10-Jun-11   0       0           0           0 
17-Jun-11   0       0           0.018867925 0.018867925 
24-Jun-11   0       0.005952381 0           0.005952381 
1-Jul-11    0       0.011904762 0           0.005952381 
8-Jul-11    0       0           0           0.011904762 
15-Jul-11   0       0.017       0.006       0.007

Now I've worked through the examples in the documentation, but I can't seem to find a way to make this work the way I want it to, specifically around field extractions (I'm fine with the reporting side of things). To better illustrate the values I'm attempting to extract and report on, I've put together this little HTML table.

	Virtual Server Concurrent Connections
	LAST THREE MONTHS
[host]	PSRV-0001
	DATE / TIME	VS-0001	VS-0002	VS-0003	VS-0004	[virtual_host]
	29-Apr-11	0	0.142857143	0	0
	6-May-11	0	0.285714286	0	0
	13-May-11	0	0	0	0
	20-May-11	0	0	0	0
	27-May-11	0	0	0	0
	3-Jun-11	0	0	0	0
	10-Jun-11	0	0	0	0
	17-Jun-11	0	0	0.018867925	0.018867925
	24-Jun-11	0	0.005952381	0	0.005952381
	1-Jul-11	0	0.011904762	0	0.005952381
	8-Jul-11	0	0	0	0.011904762
	15-Jul-11	0	0.017	0.006	0.007
	[timestamp]	[concurrent-connections]

In essence, I'm trying to extract what would be the logged equivalent of the following (which would be easy to report on):

# timestamp, virtual_server, concurrent_connections 
29-Apr-11, VS-0001, 0 
29-Apr-11, VS-0002, 0.142857143 
29-Apr-11, VS-0003, 0 
29-Apr-11, VS-0004, 0 
6-May-11, VS-0001, 0 
6-May-11, VS-0002, 0.285714286 
6-May-11, VS-0003, 0 
6-May-11, VS-0004, 0 
...

The following caveats are in play:

The host value is variable (ie. changes naming conventions depending on the origin of data)
The virtual_host values are also variable
The number of virtual_hosts on a given host are variable

Can someone please point me in the right direction here, or tell me if this is even possible? There will be much kudos & upvoting for whoever helps!

Answer 1

1

Have you tried to use your multikv settings by creating a multikv.conf ?

There is examples at the bottom of the page link.

link

answered 03 Aug '11, 08:23

MarioM
1.4k●2●7
accept rate: 18%

edited 03 Aug '11, 08:24

I've tried (and am continuing to try) with the examples that have been provided, however I'm not looking to make fields named "VS-0001", "VS-0002" etc... These values need to be extracted to a "virtual_host" field.

My HTML table did have colours to indicate what I'm trying to do, however they get lost once I submitted the question

(03 Aug '11, 18:09) R.Turk

Multikv extraction - Tables within a table?

Follow this question

Splunk Resources

Related questions