topic Re: Field extraction in Splunk Search

How to extract all values?

ranjithan — Tue, 22 Feb 2022 21:23:09 GMT

----------------------- DISK INFORMATION ----------------------------

DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="210G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE"

DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="100G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

My log (multiline event) looks like this but Splunk is automatically extracting just the first line . I want to extract all the values.

for example:

NAME=sda

NAME=sdb

Could someone please help me with it

Re: Field extraction

isoutamo — Tue, 22 Feb 2022 15:13:37 GMT

if your input file or what ever is generating this is like this (one DISK on every line)

DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="210G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="100G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

then you can use props.conf in HF/IDX (which one is first from your source)

DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=true LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true

Basically this is what splunk is doing without any configurations.

How you are collecting that disk information?

r. Ismo

Re: Field extraction

ranjithan — Tue, 22 Feb 2022 15:19:15 GMT

it is based on shell script output.

Re: Field extraction

ranjithan — Tue, 22 Feb 2022 15:20:15 GMT

Kindly suggest if it could be done via SPL or regex extractions..

Re: Field extraction

gcusello — Tue, 22 Feb 2022 15:20:29 GMT

Hi @ranjithan,

please try this

| rex "(?ms)^DISK\=\"(?<DISK>[^\"]+)\"\s+NAME\=\"(?<NAMA>[^\"]+)\"\s+HCTL\=\"(?<HCTL>[^\"]+)\"\s+TYPE\=\"(?<TYPE>[^\"]+)\"\s+VENDOR\=\"(?<VENDOR>[^\"]+)\"\s+SIZE\=\"(?<SIZE>[^\"]+)\"\s+SCSIHOST\=\"(?<SCSIHOST>[^\"]+)\"\s+CHANNEL\=\"(?<CHANNEL>[^\"]+)\"\s+ID\=\"(?<ID>[^\"]+)\"\s+LUN\=\"(?<LUN>[^\"]+)\"\s+BOOTDISK\=\"(?<BOOTDISK>[^\"]+)\""

that you can test at https://regex101.com/r/LrfKpR/1

Ciao.

Giuseppe

Re: Field extraction

ranjithan — Wed, 23 Feb 2022 11:55:28 GMT

Thank you. let me try...

Re: Field extraction

gcusello — Wed, 23 Feb 2022 13:07:30 GMT

Hi @ranjithan,

if this answer solves your need, please accept it for the other epople of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉