Documentation > Splunk > Search Reference > multikv

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

multikv

Contents

multikv

Synopsis

Extracts field-values from table-formatted events.

Syntax

multikv [conf=<stanza_name>] [<multikv-option>]*

Required arguments

<multikv-option>
Syntax: copyattrs=<bool> | fields <field-list> | filter <field-list> | forceheader=<int> | multitable=<bool> | noheader=<bool> | rmorig=<bool>
Description: Options for extracting fields from tabular events.

Optional arguments

conf
Syntax: conf=<stanza_name>
Description: If you have a field extraction defined in multikv.conf, use this argument to reference the stanza in your search. For more information, refer to the configuration file reference for multikv.conf in the Admin Manual.

Multikv options

copyattrs
Syntax: copyattrs=<bool>
Description: Controls the copying of non-metadata attributes from the original event to extract events. Default is true.
fields
Syntax: fields <field-list>
Description: Filters out from the extracted events fields that are not in the given field list.
filter
Syntax: filter <field-list>
Description: If specified, a table row must contain one of the terms in the list before it is extracted into an event.
forceheader
Syntax: forceheader=<int>
Description: Forces the use of the given line number (1 based) as the table's header. By default a header line is searched for.
multitable
Syntax: multitable=<bool>
Descriptions: Controls whether or not there can be multiple tables in a single _raw in the original events. (default = true)
noheader
Syntax: noheader=<bool>
Description: Allow tables with no header. If no header fields would be named column1, column2, ... (default = false)
rmorig
Syntax: rmorig=<bool>
Description: Controls the removal of original events from the result set. (default=true)

Description

Extracts fields from events with information in a tabular format (e.g. top, netstat, ps, ... etc). A new event will be created for each table row. Field names will be derived from the title row of the table.

Examples

Example 1: Extract the "COMMAND" field when it occurs in rows that contain "splunkd".

... | multikv fields COMMAND filter splunkd

Example 2: Extract the "pid" and "command" fields.

... | multikv fields pid command

See also

extract, kvform, rex, xmlkv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the multikv command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/Multikv"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


Comments

in examples, I'm always missing input and output, to understand how that works...
synopsis!=example !

Sbsbb
May 1, 2013

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!