Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract fields from hardware sourcetype in unix app

christopher_hod
Path Finder
‎01-17-2013 11:50 AM

So the output of hardware.sh (from the Unix app) is something like this:

KEY                   VALUE
CPU_TYPE              Intel(R) Xeon(R) CPU E5630 @ 2.53GHz
CPU_CACHE             12288 KB
CPU_COUNT             16
HARD_DRIVES           sda (PERC H700) 816 GB; sdb (PERC H800) 18625 GB;
NIC_TYPE              Broadcom NetXtreme II Gigabit
NIC_COUNT             1
MEMORY_REAL           16426668 kB
MEMORY_SWAP           4096564 kB

Is there an easy way to get the key/value pairs into fields properly?

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-18-2013 12:15 AM

You're looking for a regular expression to parse out each line into a variable fieldname according to the key?

First, to get the variable fieldname, you need a props.conf and transforms.conf entry like in this question: http://splunk-base.splunk.com/answers/23409/dynamically-extract-field-names-from-multiline-event

Second, the regular expression would look something like this (untested):

^([A-Z_]+)\s+(.*)
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top