Splunk Search

Any way to parse key/value pair where key follows value?

crberus
Explorer

I am trying to parse useful per-protocol summary performance information from our NetApp SAN heads' syslogging and wonder if anyone can lend any advice on any quick and easy ways to parse a key/value pair from a situation where the value precedes the key. Here is a tiny snippet of the logs that I am working from:

Dec  2 08:00:00 netappa01 [netappa01: kern.uptime.filer:info]:   8:00am up 21 days, 21:20 1 NFS ops, 0 CIFS ops, 0 HTTP ops, 1240293785 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappa02 [netappa02: kern.uptime.filer:info]:   8:00am up 21 days, 22:07 0 NFS ops, 0 CIFS ops, 0 HTTP ops, 131893495 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb01 [netappb01: kern.uptime.filer:info]:   8:00am up 13 days, 13:58 27873 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb02 [netappb02: kern.uptime.filer:info]:   8:00am up  3 days, 12:54 328648270 NFS ops, 0 CIFS ops, 11 HTTP ops, 117737997 FCP ops, 0 iSCSI ops

Each performance pair that I care about in there can be easily described with:

[value] [key] ops,

The following PCRE extracts the info into named groups perfectly:

(?<perf_value>\d+)\s(?<perf_key>\w+)(?:\sops)

Will my only choice be to iterate through looking for each protocol and assigning it a value, or is there some efficient way to allow it to recognize the key/value pairs without having to iterate through defining, identifying and parsing out the value?

I've been monkeying around with extract and multikv, but I'm not seeing any way that stands out with the formatting of this data. I'm curious about kvform, but reading the help on it, it would seem as though it expects traditional key-then-value format and I'm not sure if there's a way to get it to recognize the reverse.

Tangent Question: Is it more efficient to use the PCRE above with the terminating non-capturing atomic group, or to use lookahead like so (both work):

(?<perf_value>\d+)\s(?<perf_key>\w+)(?=\sops)

Thanks!

Jim

1 Solution

dwaddle
SplunkTrust
SplunkTrust

This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype is set to netapp.

(props.conf)

[netapp]
REPORT-netapp=netapp

(transforms.conf)

[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype is set to netapp.

(props.conf)

[netapp]
REPORT-netapp=netapp

(transforms.conf)

[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1

crberus
Explorer

Very sorry for the super late response, but my task list was abruptly redirected and I only just now had a chance to get back to this project. Your suggestion worked perfectly - thank you very much for your help!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

progress? success? I'm curious... 🙂

0 Karma

crberus
Explorer

Thank you - I was apparently too focused on widdling it down in search first and hadn't moved on to attempting to do it in props/transforms. I am going to add it in and I will confirm your answer shortly!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...