Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiline Event with Values

trever
Loves-to-Learn
‎05-04-2020 11:47 PM

I have an event that is multiple lines:

Mon May  4 22:06:47 PDT 2020
/dev/sdb1       13245631 12450471    127548  99% /Volumes/Media
/dev/sdd2        9460988  7196839   1787272  81% /Volumes/Media 2

I'm trying to turn it into something that I can monitor over time in a time chart but I'm having trouble getting this split up properly. I tried this:

index=sysmon | rex max_match=0 (?<event>.*)\N | rex max_match=0 \/dev\/(?<drive>\w+)\s*(?<blocks>\d+)\s*(?<used>\d+)\s*(?<available>\d+)\s*(?<usepcnt>\d+)%\s*(?<mounted>.*) | timechart span=30m values(used) by drive

It starts to look right in the table, I have time and values but they are all grouped together still:

alt text

Preview file
75 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2020 06:27 AM

The max_match option of rex produces multi-value fields. You must use mvexpand to create separate events for each value. Perhaps this run-anywhere query will help.

| makeresults 
| eval raw="Mon May  4 22:06:47 PDT 2020
 /dev/sdb1       13245631 12450471    127548  99% /Volumes/Media
 /dev/sdd2        9460988  7196839   1787272  81% /Volumes/Media 2" 
| rex field=raw max_match=0 (?<event>.*)\N 
| mvexpand event
| rex field=event max_match=0 \/dev\/(?<drive>\w+)\s*(?<blocks>\d+)\s*(?<used>\d+)\s*(?<available>\d+)\s*(?<usepcnt>\d+)%\s*(?<mounted>.*)
| timechart span=30m values(used) by drive
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2020 06:27 AM

The max_match option of rex produces multi-value fields. You must use mvexpand to create separate events for each value. Perhaps this run-anywhere query will help.

| makeresults 
| eval raw="Mon May  4 22:06:47 PDT 2020
 /dev/sdb1       13245631 12450471    127548  99% /Volumes/Media
 /dev/sdd2        9460988  7196839   1787272  81% /Volumes/Media 2" 
| rex field=raw max_match=0 (?<event>.*)\N 
| mvexpand event
| rex field=event max_match=0 \/dev\/(?<drive>\w+)\s*(?<blocks>\d+)\s*(?<used>\d+)\s*(?<available>\d+)\s*(?<usepcnt>\d+)%\s*(?<mounted>.*)
| timechart span=30m values(used) by drive
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

trever
Loves-to-Learn
‎05-05-2020 03:54 PM

That did exactly what I was looking for! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...