I am trying to parse useful per-protocol summary performance information from our NetApp SAN heads' syslogging and wonder if anyone can lend any advice on any quick and easy ways to parse a key/value pair from a situation where the value precedes the key. Here is a tiny snippet of the logs that I am working from:
Dec 2 08:00:00 netappa01 [netappa01: kern.uptime.filer:info]: 8:00am up 21 days, 21:20 1 NFS ops, 0 CIFS ops, 0 HTTP ops, 1240293785 FCP ops, 0 iSCSI ops
Dec 2 08:00:00 netappa02 [netappa02: kern.uptime.filer:info]: 8:00am up 21 days, 22:07 0 NFS ops, 0 CIFS ops, 0 HTTP ops, 131893495 FCP ops, 0 iSCSI ops
Dec 2 08:00:00 netappb01 [netappb01: kern.uptime.filer:info]: 8:00am up 13 days, 13:58 27873 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
Dec 2 08:00:00 netappb02 [netappb02: kern.uptime.filer:info]: 8:00am up 3 days, 12:54 328648270 NFS ops, 0 CIFS ops, 11 HTTP ops, 117737997 FCP ops, 0 iSCSI ops
Each performance pair that I care about in there can be easily described with:
[value] [key] ops,
The following PCRE extracts the info into named groups perfectly:
(?<perf_value>\d+)\s(?<perf_key>\w+)(?:\sops)
Will my only choice be to iterate through looking for each protocol and assigning it a value, or is there some efficient way to allow it to recognize the key/value pairs without having to iterate through defining, identifying and parsing out the value?
I've been monkeying around with extract and multikv, but I'm not seeing any way that stands out with the formatting of this data. I'm curious about kvform, but reading the help on it, it would seem as though it expects traditional key-then-value format and I'm not sure if there's a way to get it to recognize the reverse.
Tangent Question: Is it more efficient to use the PCRE above with the terminating non-capturing atomic group, or to use lookahead like so (both work):
(?<perf_value>\d+)\s(?<perf_key>\w+)(?=\sops)
Thanks!
Jim
This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype
is set to netapp
.
(props.conf)
[netapp]
REPORT-netapp=netapp
(transforms.conf)
[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1
This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype
is set to netapp
.
(props.conf)
[netapp]
REPORT-netapp=netapp
(transforms.conf)
[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1
Very sorry for the super late response, but my task list was abruptly redirected and I only just now had a chance to get back to this project. Your suggestion worked perfectly - thank you very much for your help!
progress? success? I'm curious... 🙂
Thank you - I was apparently too focused on widdling it down in search first and hadn't moved on to attempting to do it in props/transforms. I am going to add it in and I will confirm your answer shortly!