Getting Data In

Parsing fields from AIX fcstat command which looks similar to Windows INI file type headers

rasingh
Path Finder

I am trying to extract the fields from the AIX command fcstat so I can grap SAN HBA statistics. The output of the command looks like this:

FIBRE CHANNEL STATISTICS REPORT: fcs0

Device Type: FC Adapter (df1000fd) Serial Number: 1B702043B8 Option ROM Version: 02C82138 Firmware Version: B1F2.10X8 World Wide Node Name: 0x20000000C960247C World Wide Port Name: 0x10000000C960247C

FC-4 TYPES: Supported: 0x0000012000000000000000000000000000000000000000000000000000000000 Active: 0x0000010000000000000000000000000000000000000000000000000000000000 Class of Service: 3 Port Speed (supported): 4 GBIT Port Speed (running): 4 GBIT Port FC ID: 0x0B0200 Port Type: Fabric

Seconds Since Last Reset: 241854

    Transmit Statistics     Receive Statistics
    -------------------     ------------------

Frames: 35280017 2032589969 Words: 1059862272 1035519376896

LIP Count: 0 NOS Count: 0 Error Frames: 0 Dumped Frames: 0 Link Failure Count: 2 Loss of Sync Count: 7 Loss of Signal: 0 Primitive Seq Protocol Error Count: 0 Invalid Tx Word Count: 0 Invalid CRC Count: 0

IP over FC Adapter Driver Information No DMA Resource Count: 0 No Adapter Elements Count: 0

FC SCSI Adapter Driver Information No DMA Resource Count: 0 No Adapter Elements Count: 0 No Command Resource Count: 0

IP over FC Traffic Statistics Input Requests: 0 Output Requests: 0 Control Requests: 0 Input Bytes: 0 Output Bytes: 0

FC SCSI Traffic Statistics Input Requests: 33917094 Output Requests: 85299 Control Requests: 110563 Input Bytes: 4092534813953

Output Bytes: 2301687080

Would I have to have multiple extracts for the different sections of this output or use a custom python parser/command to add to splunk (e.g. ConfigParser) ?

Tags (3)
0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

When pasting formatted text into the answers site, you should be careful to use the formatting tools to help avoid it looking like gibberish. I've put in a copy of output from the same command on one of my AIX boxes below.

Without a clear definition of which data elements you are trying to extract, your question is a little tough to answer. But, from just looking at all of the data elements available you should be able to get most, if not all, using a series of field extractions in transforms.conf/props.conf. The "IP over FC Traffic Statistics" and "FC SCSI Traffic Statistics" worry me a little, because I'm not sure what the regex would have to be to give a hint of which "Input Bytes" you were looking at.

That said, if I were doing a scripted input for this information -- I would pre-parse it within the scripted input, so as to eliminate the information I don't want and to simplify the text of the event. (And I'd probably use awk to do the pre-parsing)

FIBRE CHANNEL STATISTICS REPORT: fcs0

Device Type: 4Gb FC PCI Express Adapter (df1000fe) (adapter/pciex/df1000fe)
Serial Number: 1B8340564B
Option ROM Version: 02E82752
Firmware Version: Z1F2.70A5 
World Wide Node Name: 0x20000000C97E870C
World Wide Port Name: 0x10000000C97E870C

FC-4 TYPES:
  Supported: 0x0000012000000000000000000000000000000000000000000000000000000000
  Active:    0x0000010000000000000000000000000000000000000000000000000000000000
Class of Service: 3
Port Speed (supported): 4 GBIT
Port Speed (running):   2 GBIT
Port FC ID: 0x02000f
Port Type: Fabric

Seconds Since Last Reset: 41082482        

        Transmit Statistics     Receive Statistics
        -------------------     ------------------
Frames: 4294967295              4294967295      
Words:  1099511627520           1099511627520   

LIP Count: 0               
NOS Count: 0               
Error Frames:  0               
Dumped Frames: 0               
Link Failure Count: 0               
Loss of Sync Count: 1               
Loss of Signal: 0               
Primitive Seq Protocol Error Count: 0               
Invalid Tx Word Count: 40              
Invalid CRC Count: 0               

IP over FC Adapter Driver Information
  No DMA Resource Count: 0               
  No Adapter Elements Count: 0               

FC SCSI Adapter Driver Information
  No DMA Resource Count: 0               
  No Adapter Elements Count: 0               
  No Command Resource Count: 0               

IP over FC Traffic Statistics
  Input Requests:   0               
  Output Requests:  0               
  Control Requests: 0               
  Input Bytes:  0               
  Output Bytes: 0               

FC SCSI Traffic Statistics
  Input Requests:   13369251091     
  Output Requests:  10294653317     
  Control Requests: 683648          
  Input Bytes:  590049438550728 
  Output Bytes: 195747341427076 

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

When pasting formatted text into the answers site, you should be careful to use the formatting tools to help avoid it looking like gibberish. I've put in a copy of output from the same command on one of my AIX boxes below.

Without a clear definition of which data elements you are trying to extract, your question is a little tough to answer. But, from just looking at all of the data elements available you should be able to get most, if not all, using a series of field extractions in transforms.conf/props.conf. The "IP over FC Traffic Statistics" and "FC SCSI Traffic Statistics" worry me a little, because I'm not sure what the regex would have to be to give a hint of which "Input Bytes" you were looking at.

That said, if I were doing a scripted input for this information -- I would pre-parse it within the scripted input, so as to eliminate the information I don't want and to simplify the text of the event. (And I'd probably use awk to do the pre-parsing)

FIBRE CHANNEL STATISTICS REPORT: fcs0

Device Type: 4Gb FC PCI Express Adapter (df1000fe) (adapter/pciex/df1000fe)
Serial Number: 1B8340564B
Option ROM Version: 02E82752
Firmware Version: Z1F2.70A5 
World Wide Node Name: 0x20000000C97E870C
World Wide Port Name: 0x10000000C97E870C

FC-4 TYPES:
  Supported: 0x0000012000000000000000000000000000000000000000000000000000000000
  Active:    0x0000010000000000000000000000000000000000000000000000000000000000
Class of Service: 3
Port Speed (supported): 4 GBIT
Port Speed (running):   2 GBIT
Port FC ID: 0x02000f
Port Type: Fabric

Seconds Since Last Reset: 41082482        

        Transmit Statistics     Receive Statistics
        -------------------     ------------------
Frames: 4294967295              4294967295      
Words:  1099511627520           1099511627520   

LIP Count: 0               
NOS Count: 0               
Error Frames:  0               
Dumped Frames: 0               
Link Failure Count: 0               
Loss of Sync Count: 1               
Loss of Signal: 0               
Primitive Seq Protocol Error Count: 0               
Invalid Tx Word Count: 40              
Invalid CRC Count: 0               

IP over FC Adapter Driver Information
  No DMA Resource Count: 0               
  No Adapter Elements Count: 0               

FC SCSI Adapter Driver Information
  No DMA Resource Count: 0               
  No Adapter Elements Count: 0               
  No Command Resource Count: 0               

IP over FC Traffic Statistics
  Input Requests:   0               
  Output Requests:  0               
  Control Requests: 0               
  Input Bytes:  0               
  Output Bytes: 0               

FC SCSI Traffic Statistics
  Input Requests:   13369251091     
  Output Requests:  10294653317     
  Control Requests: 683648          
  Input Bytes:  590049438550728 
  Output Bytes: 195747341427076 
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...