I am trying to parse useful per-protocol summary performance information from our NetApp SAN heads' syslogging and wonder if anyone can lend any advice on any quick and easy ways to parse a key/value pair from a situation where the value precedes the key. Here is a tiny snippet of the logs that I am working from:

Dec  2 08:00:00 netappa01 [netappa01: kern.uptime.filer:info]:   8:00am up 21 days, 21:20 1 NFS ops, 0 CIFS ops, 0 HTTP ops, 1240293785 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappa02 [netappa02: kern.uptime.filer:info]:   8:00am up 21 days, 22:07 0 NFS ops, 0 CIFS ops, 0 HTTP ops, 131893495 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb01 [netappb01: kern.uptime.filer:info]:   8:00am up 13 days, 13:58 27873 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb02 [netappb02: kern.uptime.filer:info]:   8:00am up  3 days, 12:54 328648270 NFS ops, 0 CIFS ops, 11 HTTP ops, 117737997 FCP ops, 0 iSCSI ops

Each performance pair that I care about in there can be easily described with:

[value] [key] ops,

The following PCRE extracts the info into named groups perfectly:

(?<perf_value>\d+)\s(?<perf_key>\w+)(?:\sops)

Will my only choice be to iterate through looking for each protocol and assigning it a value, or is there some efficient way to allow it to recognize the key/value pairs without having to iterate through defining, identifying and parsing out the value?

I've been monkeying around with extract and multikv, but I'm not seeing any way that stands out with the formatting of this data. I'm curious about kvform, but reading the help on it, it would seem as though it expects traditional key-then-value format and I'm not sure if there's a way to get it to recognize the reverse.

Tangent Question: Is it more efficient to use the PCRE above with the terminating non-capturing atomic group, or to use lookahead like so (both work):

(?<perf_value>\d+)\s(?<perf_key>\w+)(?=\sops)

Thanks!

Jim