Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiline Event with Values

trever
Loves-to-Learn
‎05-04-2020 11:47 PM

I have an event that is multiple lines:

Mon May  4 22:06:47 PDT 2020
/dev/sdb1       13245631 12450471    127548  99% /Volumes/Media
/dev/sdd2        9460988  7196839   1787272  81% /Volumes/Media 2

I'm trying to turn it into something that I can monitor over time in a time chart but I'm having trouble getting this split up properly. I tried this:

index=sysmon | rex max_match=0 (?<event>.*)\N | rex max_match=0 \/dev\/(?<drive>\w+)\s*(?<blocks>\d+)\s*(?<used>\d+)\s*(?<available>\d+)\s*(?<usepcnt>\d+)%\s*(?<mounted>.*) | timechart span=30m values(used) by drive

It starts to look right in the table, I have time and values but they are all grouped together still:

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2020 06:27 AM

The max_match option of rex produces multi-value fields. You must use mvexpand to create separate events for each value. Perhaps this run-anywhere query will help.

| makeresults 
| eval raw="Mon May  4 22:06:47 PDT 2020
 /dev/sdb1       13245631 12450471    127548  99% /Volumes/Media
 /dev/sdd2        9460988  7196839   1787272  81% /Volumes/Media 2" 
| rex field=raw max_match=0 (?<event>.*)\N 
| mvexpand event
| rex field=event max_match=0 \/dev\/(?<drive>\w+)\s*(?<blocks>\d+)\s*(?<used>\d+)\s*(?<available>\d+)\s*(?<usepcnt>\d+)%\s*(?<mounted>.*)
| timechart span=30m values(used) by drive
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2020 06:27 AM

The max_match option of rex produces multi-value fields. You must use mvexpand to create separate events for each value. Perhaps this run-anywhere query will help.

| makeresults 
| eval raw="Mon May  4 22:06:47 PDT 2020
 /dev/sdb1       13245631 12450471    127548  99% /Volumes/Media
 /dev/sdd2        9460988  7196839   1787272  81% /Volumes/Media 2" 
| rex field=raw max_match=0 (?<event>.*)\N 
| mvexpand event
| rex field=event max_match=0 \/dev\/(?<drive>\w+)\s*(?<blocks>\d+)\s*(?<used>\d+)\s*(?<available>\d+)\s*(?<usepcnt>\d+)%\s*(?<mounted>.*)
| timechart span=30m values(used) by drive
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

trever
Loves-to-Learn
‎05-05-2020 03:54 PM

That did exactly what I was looking for! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...