Re: How to get multiline key value pairs result?

priya1926 · ‎02-22-2022

hi,

I have a event

----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="500G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

i have mutilple DISK, NAME ETC in a single event..

I tried below query

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

but am getting only /dev/sda.. i need /dev/sdb as well

Thanks in advance

somesoni2 · ‎02-23-2022

Try to add "mv_add" option in extract command

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract mv_add=t pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

ITWhisperer · ‎02-22-2022

| rex max_match=0 "(?<namevalue>\S+=\"[^\"]+\")"
| streamstats count as _row
| mvexpand namevalue
| rex field=namevalue "(?<_name>\S+)=\"(?<_value>[^\"]+)\""
| fields - namevalue
| eval {_name}=_value
| stats values(*) as * by _row

You have multiple values of some of the fields which is why extract doesn't work

How to get multiline key value pairs result?

Other

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services