hi,

I have a event

----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="500G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

i have mutilple DISK, NAME ETC  in a single event..

I tried below query

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

but am getting only /dev/sda.. i need /dev/sdb as well

Thanks in advance