Splunk Search

Any way to parse key/value pair where key follows value?

crberus
Explorer

I am trying to parse useful per-protocol summary performance information from our NetApp SAN heads' syslogging and wonder if anyone can lend any advice on any quick and easy ways to parse a key/value pair from a situation where the value precedes the key. Here is a tiny snippet of the logs that I am working from:

Dec  2 08:00:00 netappa01 [netappa01: kern.uptime.filer:info]:   8:00am up 21 days, 21:20 1 NFS ops, 0 CIFS ops, 0 HTTP ops, 1240293785 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappa02 [netappa02: kern.uptime.filer:info]:   8:00am up 21 days, 22:07 0 NFS ops, 0 CIFS ops, 0 HTTP ops, 131893495 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb01 [netappb01: kern.uptime.filer:info]:   8:00am up 13 days, 13:58 27873 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb02 [netappb02: kern.uptime.filer:info]:   8:00am up  3 days, 12:54 328648270 NFS ops, 0 CIFS ops, 11 HTTP ops, 117737997 FCP ops, 0 iSCSI ops

Each performance pair that I care about in there can be easily described with:

[value] [key] ops,

The following PCRE extracts the info into named groups perfectly:

(?<perf_value>\d+)\s(?<perf_key>\w+)(?:\sops)

Will my only choice be to iterate through looking for each protocol and assigning it a value, or is there some efficient way to allow it to recognize the key/value pairs without having to iterate through defining, identifying and parsing out the value?

I've been monkeying around with extract and multikv, but I'm not seeing any way that stands out with the formatting of this data. I'm curious about kvform, but reading the help on it, it would seem as though it expects traditional key-then-value format and I'm not sure if there's a way to get it to recognize the reverse.

Tangent Question: Is it more efficient to use the PCRE above with the terminating non-capturing atomic group, or to use lookahead like so (both work):

(?<perf_value>\d+)\s(?<perf_key>\w+)(?=\sops)

Thanks!

Jim

1 Solution

dwaddle
SplunkTrust
SplunkTrust

This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype is set to netapp.

(props.conf)

[netapp]
REPORT-netapp=netapp

(transforms.conf)

[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype is set to netapp.

(props.conf)

[netapp]
REPORT-netapp=netapp

(transforms.conf)

[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1

crberus
Explorer

Very sorry for the super late response, but my task list was abruptly redirected and I only just now had a chance to get back to this project. Your suggestion worked perfectly - thank you very much for your help!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

progress? success? I'm curious... 🙂

0 Karma

crberus
Explorer

Thank you - I was apparently too focused on widdling it down in search first and hadn't moved on to attempting to do it in props/transforms. I am going to add it in and I will confirm your answer shortly!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...