All Apps and Add-ons

trying to get 1st and 5th column from the text file

ashish_chand
New Member

Could you please help me to fetch the Filesystem and Capacity column only from the text file:

----------- FILE SYSTEM CHECKS ----------------------------
Filesystem kbytes used avail capacity Mounted on
/dev/md/dsk/d10 11360140 7631628 3614911 68% /
/proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
fd 0 0 0 0% /dev/fd
/dev/md/dsk/d15 8263373 5479764 2700976 67% /var
swap 33522288 48 33522240 1% /var/run
dmpfs 33522240 0 33522240 0% /dev/vx/dmp
dmpfs 33522240 0 33522240 0% /dev/vx/rdmp
swap 8388608 32096 8356512 1% /tmp
/dev/md/dsk/d18 10327372 2343905 7880194 23% /sarlogs
/dev/md/dsk/d16 8263373 3543401 4637339 44% /opt
/dev/md/dsk/d17 99655 12541 77149 14% /vss
/dev/md/dsk/d3 1021735 395206 565225 42% /opt/IBM/ITM
/dev/odm 0 0 0 0% /dev/odm
/dev/vx/dsk/devcmsdg/devcms_storage_checkpoints 204800 1613 190554 1% /etc/vx/vxdba/devcms-DBS
/dev/vx/dsk/devcmsdg/devcms 4608000 2775427 1718168 62% /virginone/devcms

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend
0 Karma

woodcock
Esteemed Legend
0 Karma

adonio
Ultra Champion

hello there,
is that a single event or do you break it at index time?
if the former, will highly recommend to fix onboarding process and have the data parsed correctly and apply fields when indexing the data.
for search time, single events, run the search below anywhere:

| makeresults count=1 
| eval event = "Filesystem kbytes used avail capacity Mounted on
/dev/md/dsk/d10 11360140 7631628 3614911 68% /
/proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
fd 0 0 0 0% /dev/fd
/dev/md/dsk/d15 8263373 5479764 2700976 67% /var
swap 33522288 48 33522240 1% /var/run
dmpfs 33522240 0 33522240 0% /dev/vx/dmp
dmpfs 33522240 0 33522240 0% /dev/vx/rdmp
swap 8388608 32096 8356512 1% /tmp
/dev/md/dsk/d18 10327372 2343905 7880194 23% /sarlogs
/dev/md/dsk/d16 8263373 3543401 4637339 44% /opt
/dev/md/dsk/d17 99655 12541 77149 14% /vss
/dev/md/dsk/d3 1021735 395206 565225 42% /opt/IBM/ITM
/dev/odm 0 0 0 0% /dev/odm
/dev/vx/dsk/devcmsdg/devcms_storage_checkpoints 204800 1613 190554 1% /etc/vx/vxdba/devcms-DBS
/dev/vx/dsk/devcmsdg/devcms 4608000 2775427 1718168 62% /virginone/devcms" 
| rename COMMENT as "the above generates data below is the solution"
| rex field=event mode=sed "s/([\r\n]+)/;;;;;;;/g" 
| makemv event delim=";;;;;;;" 
| rename COMMENT as "here we substitute every line breaking ([\r\n]+) with string delimiter ";;;;;;;" for easier breaking and expanding"
| mvexpand event
| rename COMMENT as "here we use | rex command to extract relvant fields" 
| rename COMMENT as "note, you can remove the "%" from capacity value by changing the regex to make it numeric and easier for caclulations"
| table event
| rex field=event "(?<file_system>[^\s]+)\s(?<kbytes>[^\s]+)\s(?<used>[^\s]+)\s(?<avail>[^\s]+)\s(?<capacity>[^\s]+)\s(?<mounted_on>[^\s]+)"
| rename COMMENT as "removing the headers, there are many ways to do so" 
| where avail >=0

screenshot below:

alt text

hope it helps

0 Karma

ashish_chand
New Member

hi Adonio,

Its really helpful and explanatory.
suppose my source file is my_file.txt, how i can run above script against my source file to get the desired result in the same format as you have extracted above.

Thanks,
Ashish Chand

0 Karma

adonio
Ultra Champion

the above is not a script, its a query.
youll probably remove everything above line 19 include
add index=YOUR_INDEX_HERE source=my_file.txt before everything.
change all places where you see event to _raw

0 Karma

ashish_chand
New Member

Is this correct format.? I am still not getting request againts this query

| makeresults count=1
|Source="/virginone/dcomp/users/dcomp/Env_Team/Splunk_Extract/tallis_filesysspace_15042019_113004.log"
| rex field=_raw mode=sed "s/([\r\n]+)/;;;;;;;/g"
| makemv _raw delim=";;;;;;;"
| mvexpand _raw
| table _raw
| rex field=_raw "(?[^\s]+)\s(?[^\s]+)\s(?[^\s]+)\s(?[^\s]+)\s(?[^\s]+)\s(?[^\s]+)"
| where avail >=0

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!