How to get multiline key value pairs result?

priya1926 · ‎02-22-2022

hi,

I have a event

----------------------- DISK INFORMATION ---------------------------- DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="50G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE" DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="500G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"

i have mutilple DISK, NAME ETC in a single event..

I tried below query

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

but am getting only /dev/sda.. i need /dev/sdb as well

Thanks in advance

somesoni2 · ‎02-23-2022

Try to add "mv_add" option in extract command

from index | Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host="abc"
| extract mv_add=t pairdelim="{=}" kvdelim=" "
| table host DISK NAME TYPE

ITWhisperer · ‎02-22-2022

| rex max_match=0 "(?<namevalue>\S+=\"[^\"]+\")"
| streamstats count as _row
| mvexpand namevalue
| rex field=namevalue "(?<_name>\S+)=\"(?<_value>[^\"]+)\""
| fields - namevalue
| eval {_name}=_value
| stats values(*) as * by _row

You have multiple values of some of the fields which is why extract doesn't work

How to get multiline key value pairs result?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!