How to get multiline key value pairs result?

priya1926 · ‎02-22-2022

hi,

I have a event

----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="500G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

i have mutilple DISK, NAME ETC in a single event..

I tried below query

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

but am getting only /dev/sda.. i need /dev/sdb as well

Thanks in advance

somesoni2 · ‎02-23-2022

Try to add "mv_add" option in extract command

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract mv_add=t pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

ITWhisperer · ‎02-22-2022

| rex max_match=0 "(?<namevalue>\S+=\"[^\"]+\")"
| streamstats count as _row
| mvexpand namevalue
| rex field=namevalue "(?<_name>\S+)=\"(?<_value>[^\"]+)\""
| fields - namevalue
| eval {_name}=_value
| stats values(*) as * by _row

You have multiple values of some of the fields which is why extract doesn't work

How to get multiline key value pairs result?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

How to get multiline key value pairs result?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience