Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract fields from hardware sourcetype in unix app

christopher_hod
Path Finder
‎01-17-2013 11:50 AM

So the output of hardware.sh (from the Unix app) is something like this:

KEY                   VALUE
CPU_TYPE              Intel(R) Xeon(R) CPU E5630 @ 2.53GHz
CPU_CACHE             12288 KB
CPU_COUNT             16
HARD_DRIVES           sda (PERC H700) 816 GB; sdb (PERC H800) 18625 GB;
NIC_TYPE              Broadcom NetXtreme II Gigabit
NIC_COUNT             1
MEMORY_REAL           16426668 kB
MEMORY_SWAP           4096564 kB

Is there an easy way to get the key/value pairs into fields properly?

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-18-2013 12:15 AM

You're looking for a regular expression to parse out each line into a variable fieldname according to the key?

First, to get the variable fieldname, you need a props.conf and transforms.conf entry like in this question: http://splunk-base.splunk.com/answers/23409/dynamically-extract-field-names-from-multiline-event

Second, the regular expression would look something like this (untested):

^([A-Z_]+)\s+(.*)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...