https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586205#M204197 <P><SPAN>----------------------</SPAN><SPAN class="">-</SPAN> <SPAN class="">DISK</SPAN> <SPAN class="">INFORMATION</SPAN><SPAN> ---------------------------- </SPAN></P> <LI-CODE lang="markup">DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:0:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="1" BOOTDISK="FALSE" DISK="/dev/sdc" NAME="sdc" HCTL="0:0:1:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdd" NAME="sdd" HCTL="0:0:1:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="1" BOOTDISK="FALSE" DISK="/dev/sde" NAME="sde" HCTL="7:0:0:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="7" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdf" NAME="sdf" HCTL="7:0:0:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="7" CHANNEL="0" ID="0" LUN="1" BOOTDISK="FALSE" DISK="/dev/sdg" NAME="sdg" HCTL="7:0:1:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="7" CHANNEL="0" ID="1" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdh" NAME="sdh" HCTL="7:0:1:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="7" CHANNEL="0" ID="1" LUN="1" BOOTDISK="FALSE"</LI-CODE> <P>My multiline event log looks like this in Splunk.&nbsp; Could someone please help me extract all the fields like DISK, NAME, HCTL TYPE, VENDOR, SIZE using&nbsp; SPL...</P> Wed, 23 Feb 2022 18:41:05 GMT ranjithan 2022-02-23T18:41:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586205#M204197 <P><SPAN>----------------------</SPAN><SPAN class="">-</SPAN> <SPAN class="">DISK</SPAN> <SPAN class="">INFORMATION</SPAN><SPAN> ---------------------------- </SPAN></P> <LI-CODE lang="markup">DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:0:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="1" BOOTDISK="FALSE" DISK="/dev/sdc" NAME="sdc" HCTL="0:0:1:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdd" NAME="sdd" HCTL="0:0:1:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="1" BOOTDISK="FALSE" DISK="/dev/sde" NAME="sde" HCTL="7:0:0:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="7" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdf" NAME="sdf" HCTL="7:0:0:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="7" CHANNEL="0" ID="0" LUN="1" BOOTDISK="FALSE" DISK="/dev/sdg" NAME="sdg" HCTL="7:0:1:0" TYPE="disk" VENDOR="3PARdata" SIZE="120G" SCSIHOST="7" CHANNEL="0" ID="1" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdh" NAME="sdh" HCTL="7:0:1:1" TYPE="disk" VENDOR="3PARdata" SIZE="300G" SCSIHOST="7" CHANNEL="0" ID="1" LUN="1" BOOTDISK="FALSE"</LI-CODE> <P>My multiline event log looks like this in Splunk.&nbsp; Could someone please help me extract all the fields like DISK, NAME, HCTL TYPE, VENDOR, SIZE using&nbsp; SPL...</P> Wed, 23 Feb 2022 18:41:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586205#M204197 ranjithan 2022-02-23T18:41:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586211#M204201 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242965">@ranjithan</a>,</P><P>my previous answer isn't ok for your needs?</P><P><A href="https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-values/m-p/586203#M204196" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-values/m-p/586203#M204196</A></P><P>the above regex extracts all the fields from your new logs.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Feb 2022 12:21:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586211#M204201 gcusello 2022-02-23T12:21:24Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586218#M204205 <P>First you need to split the event(s) into separate lines (I have added a row count so you can keep track of the original event if that's important to you). Then extract the name/value pairs. Then create fields based on the names, with their corresponding values. Finally, join the fields together based on which line they came from.</P><LI-CODE lang="markup">| makeresults count=2 | streamstats count as row | eval _raw="----------------------- DISK INFORMATION ---------------------------- DISK=\"/dev/sda\" NAME=\"sda\" HCTL=\"0:0:0:0\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"120G\" SCSIHOST=\"0\" CHANNEL=\"0\" ID=\"0\" LUN=\"0\" BOOTDISK=\"TRUE\" DISK=\"/dev/sdb\" NAME=\"sdb\" HCTL=\"0:0:0:1\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"300G\" SCSIHOST=\"0\" CHANNEL=\"0\" ID=\"0\" LUN=\"1\" BOOTDISK=\"FALSE\" DISK=\"/dev/sdc\" NAME=\"sdc\" HCTL=\"0:0:1:0\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"120G\" SCSIHOST=\"0\" CHANNEL=\"0\" ID=\"1\" LUN=\"0\" BOOTDISK=\"TRUE\" DISK=\"/dev/sdd\" NAME=\"sdd\" HCTL=\"0:0:1:1\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"300G\" SCSIHOST=\"0\" CHANNEL=\"0\" ID=\"1\" LUN=\"1\" BOOTDISK=\"FALSE\" DISK=\"/dev/sde\" NAME=\"sde\" HCTL=\"7:0:0:0\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"120G\" SCSIHOST=\"7\" CHANNEL=\"0\" ID=\"0\" LUN=\"0\" BOOTDISK=\"TRUE\" DISK=\"/dev/sdf\" NAME=\"sdf\" HCTL=\"7:0:0:1\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"300G\" SCSIHOST=\"7\" CHANNEL=\"0\" ID=\"0\" LUN=\"1\" BOOTDISK=\"FALSE\" DISK=\"/dev/sdg\" NAME=\"sdg\" HCTL=\"7:0:1:0\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"120G\" SCSIHOST=\"7\" CHANNEL=\"0\" ID=\"1\" LUN=\"0\" BOOTDISK=\"TRUE\" DISK=\"/dev/sdh\" NAME=\"sdh\" HCTL=\"7:0:1:1\" TYPE=\"disk\" VENDOR=\"3PARdata\" SIZE=\"300G\" SCSIHOST=\"7\" CHANNEL=\"0\" ID=\"1\" LUN=\"1\" BOOTDISK=\"FALSE\"" | multikv forceheader=1 | fields _raw row | rex max_match=0 "(?&lt;namevalue&gt;\S+=\"[^\"]+\")" | streamstats count as _row | mvexpand namevalue | rex field=namevalue "(?&lt;_name&gt;\S+)=\"(?&lt;_value&gt;[^\"]+)\"" | fields - namevalue | eval {_name}=_value | stats values(*) as * by row _row</LI-CODE> Wed, 23 Feb 2022 12:56:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586218#M204205 ITWhisperer 2022-02-23T12:56:49Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586220#M204207 <P>This works, thank you so much Giuseppe&nbsp;</P> Wed, 23 Feb 2022 13:04:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586220#M204207 ranjithan 2022-02-23T13:04:59Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586222#M204209 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242965">@ranjithan</a>,</P><P>if this answer solves your need, please accept it for the other people of Community.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P> Wed, 23 Feb 2022 13:07:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-all-fields-like-DISK/m-p/586222#M204209 gcusello 2022-02-23T13:07:46Z