multikv

multikv

Synopsis

Extracts field-values from table-formatted events.

Syntax

multikv [<multikv-option>]*

Arguments

<multikv-option>

Syntax: copyattrs=<bool> | fields <field-list> | filter <field-list> | forceheader=<int> | multitable=<bool> | noheader=<bool> | rmorig=<bool>

Description: Options for extracting fields from tabular events.

Multikv options

copyattrs

Syntax: copyattrs=<bool>

Description: Controls the copying of non-metadata attributes from the original event to extract events. Default is true.

fields

Syntax: fields <field-list>

Description: Filters out from the extracted events fields that are not in the given field list.

filter

Syntax: filter <field-list>

Description: If specified, a table row must contain one of the terms in the list before it is extracted into an event.

forceheader

Syntax: forceheader=<int>

Description: Forces the use of the given line number (1 based) as the table's header. By default a header line is searched for.

multitable

Syntax: multitable=<bool>

Descriptions: Controls whether or not there can be multiple tables in a single _raw in the original events. (default = true)

noheader

Syntax: noheader=<bool>

Description: Allow tables with no header. If no header fields would be named column1, column2, ... (default = false)

rmorig

Syntax: rmorig=<bool>

Description: Controls the removal of original events from the result set. (default=true)

Description

Extracts fields from events with information in a tabular format (e.g. top, netstat, ps, ... etc). A new event will be created for each table row. Field names will be derived from the title row of the table.

Examples

Example 1: Extract the "COMMAND" field when it occurs in rows that contain "splunkd".

Example 2: Extract the "pid" and "command" fields.

See also

extract, kvform, rex, xmlkv

• Was this topic useful?
• Post a comment