Usage Of Splunk Commands : MULTIKV

Usage Of Splunk Commands : MULTIKV

Hi Guys!!!
Today, we have come with another interesting command i.e. multikv, which can be very useful.

Definition:
1) multikv command is used to extract field and values from the events which are table formatted.[eg: the output of top, ps commands etc.].
2) multikv command will create new events for each row of events and the title of the table will be assigned as the header.
3) multikv commands automatically takes the first row of the events as field names if they are in CAPITAL LETTER.
4) multikv command can handle multiple tables in a single event (if multitable=true, by default it is true only), but it might require to ensure that the secondary table header is in CAPITAL LETTER.

Syntax of multikv command:

| multikv [multitable=<bool>|forceheader=<int>|fields <field-list>|noheader=<bool> ]

Multikv arguments description:
1) multitable=<bool>: It is used to control the data which has multiple tables in one event. By default, it is true.
2) forceheader=<int>: Forces the line number of the row(mentioned as <int> value) to appear as header row.
3) fields <field-list>: Limit the fields set extracted by the “multikv” command .
4) noheader=<bool>: It is used to handle the data table which does not have the header row to be identified. It automatically extract the fields from these kind of data as Column_1, Column_2, Column_3 and so on.

NOTE: noheader=true will make multitable=false. By default, it is false.

Example: 1
First, we will show you the how the data looks without multikv command. Please, see the below query,

index="demo_test" sourcetype=demo_first

              Image: 1

Explanation:
Here, we are using index “demo_test” and sourcetype name is “demo_first”, where we have our sample data. As, you can see in the above image all the data is coming in a single event. Also, you can see in the first row, there we have the expected field names “NAME” and “AGE”(which are of course not extracted).
Now, if we want to extract these two fields, but with all the values present aligned with the fields in different rows of the event, we can use multikv command. Please, see the below query,

index="demo_test" sourcetype=demo_first
| multikv

Image: 2

You can also know about :  Interactive Field Extractor( IFX )in Splunk


Image: 3


Image: 4

Explanation:
As, you can see, all the rows are coming now in separate events just by using “multikv” command [Image 2]
Also, you can see on the left under INTERESTING FIELDS two fields have been created  called “NAME” and “AGE”, because they were present in the first row of the events and they were all in capital letter.[Image 2]
And, also you can see “NAME” and “AGE” fields contain values from all the events. [Image 3 and Image 4]

Example: 2
In this example we will show you how “multikv” command handled multiple tables inside a single event.
First, we will show you the how the data looks without “multikv” command. Please, see the below query,

index="demo_test" sourcetype=demo_second

Image: 5

Explanation:
Here, we are using index “demo_test” and sourcetype name is “demo_second” , where we have our sample data.
Here, you can see in the above image, here we have multiple tables together in one event, i.e. we have the header fields “NAME” and “AGE” two times(1st row and 4th row).
Now, if we want to extract these two fields, but with all the values present in this two tables of the event, we can use multikv command.
Please, see the below query,

index="demo_test" sourcetype=demo_second
| multikv

Image: 6


Image: 7


Image: 8

Explanation:
As, you can see, all the rows are coming now in separate events just by using “multikv” command [Image 6]
Also, you can see on the left under INTERESTING FIELDS two fields have been created called “NAME” and “AGE”, although they are present in 1st row and 4th row, multikv auto detected that and put all the values form the two tables of the event in the fields because the header of the second table was also in CAPITAL LETTER..[Image 6] In this case “multitable” must be set to true. [By default it is true only.]
And, also you can see “NAME” and “AGE” fields contains values from all the events. [ Image 7 and Image 8]
Example: 3
In this example, we will show you how multikv handles event with single table but header with small letter.
First, we will show you the how the data looks without multikv command. Please, see the below query,

index="demo_test" sourcetype=demo_third

Image: 9

You can also know about :  USAGE OF SPLUNK COMMANDS : TRANSPOSE

Here, we are using index “demo_test” and sourcetype name is “demo_third”, where we have our sample data.
As, you can see in the image the header of the event is in small letter, Please, see the below query to see how multikv will handle this.

index="demo_test" sourcetype=demo_third
| multikv forceheader=1

Image: 10


Image: 11


Image: 12

Explanation:
Here, we have used “multikv” command with an argument i.e. “forceheader=1”, this argument we use to determine which row of the table in the event we want to make as header or field names.
So, as our header field is in the 1st row, we have mentioned “1” as the value of “forceheader”.
As, a result you can see each row is coming now in separate events, and also, in the left side under INTERESTING FIELDS we can see that two fields are created “name” and “age” which contain values from each row of the table in the event [Image 11 and Image 12].

Example: 4
In this example, we will show you, how you can limit the fields extracted by multikv, like you have seen in the example: 3, we have extracted two fields from the first row i.e. “name” and “age”. Now, if we want to extract any one of the field, for that please, see the below query,

index=demo_test sourcetype=demo_third
| multikv forceheader=1 fields name

Image: 13


Image: 14

Explanation:
Here, we are using “demo_test” index and sourcetype name is “demo_third” , where we have our sample data.
Here, we have used “multikv” command with an argument i.e. “forceheader=1″ [the explanation of forceheader, you can see from the Example: 3]
As, a result you can see, each row is coming now in separate events.
We, also have used an argument “fields” with the field “name”, which specifies that only “name” field will be extracted.
As a result, you can see in the left side under INTERESTING FIELDS only “name” field has been extracted and contains values from all the events.[ Image: 14]
Example: 5
In these example, we will show you, how multikv can handle table without header row.
First, let’s see how the data is looking without multikv command. Please, see the below query,

index=demo_test sourcetype=demo_fourth

Image: 15

You can also know about :  Usage of Splunk commands : GEOSTATS

Explanation:
Here, we are using “demo_test” index and sourcetype name is “demo_fourth” , where we have our sample data. As, you can see in the above image, the data we have here, that has no header to be identified. In this case, if we want break the table in separate events and also want to extract the field-values, we can use “multikv” command with an argument “noheader”. Please, see the below query,

index=demo_test sourcetype=demo_fourth
| multikv noheader=t

Image: 16


Image: 17


Image: 18

Explanation:
Here, we have use multikv command with “noheader=t” [“t” for “true”, by default it is false]. [Image: 16]
AS a result, multikv extracted two fields named “Column_1” and “Column_2”, (because, the data didn’t have any header to be identified, so noheader automatically extracted the fields as Column_1, Column_2). [Image: 16]
And, also you can see that Column_1 contains the names from all the events and Column_2 contains ages from all the events. [Image: 17 and Image: 18]

Now you can effectively utilize the “multikv” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : MULTIKV

Happy Splunking !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.