How to get multiline key value pairs result?

priya1926 · ‎02-22-2022

hi,

I have a event

----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="500G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

i have mutilple DISK, NAME ETC in a single event..

I tried below query

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

but am getting only /dev/sda.. i need /dev/sdb as well

Thanks in advance

somesoni2 · ‎02-23-2022

Try to add "mv_add" option in extract command

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract mv_add=t pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

ITWhisperer · ‎02-22-2022

| rex max_match=0 "(?<namevalue>\S+=\"[^\"]+\")"
| streamstats count as _row
| mvexpand namevalue
| rex field=namevalue "(?<_name>\S+)=\"(?<_value>[^\"]+)\""
| fields - namevalue
| eval {_name}=_value
| stats values(*) as * by _row

You have multiple values of some of the fields which is why extract doesn't work

How to get multiline key value pairs result?

other

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI