I'm using splunk to search my Cisco ISE logs. There is an ISE app, which is great, but has a pretty significant problem. I'm having trouble working through this problem too though. When splunk reports on the value for SysStatsUtilizationDiskSpace, it takes the first instance, which in this example is 16% for the / mount point.
Within this message it shows the disk space utilization for each mount point, but the mount point name comes after the value. I care specifically about /opt. Is there any way to gather data about the 3rd instance of SysStatsUtilizationDiskSpace or is it possible to show the values for all mount points somehow?
I tried extracting/naming a new field, but didn't have any luck. Any help would be much appreciated.