Splunk Search

Any way to parse key/value pair where key follows value?

crberus
Explorer

I am trying to parse useful per-protocol summary performance information from our NetApp SAN heads' syslogging and wonder if anyone can lend any advice on any quick and easy ways to parse a key/value pair from a situation where the value precedes the key. Here is a tiny snippet of the logs that I am working from:

Dec  2 08:00:00 netappa01 [netappa01: kern.uptime.filer:info]:   8:00am up 21 days, 21:20 1 NFS ops, 0 CIFS ops, 0 HTTP ops, 1240293785 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappa02 [netappa02: kern.uptime.filer:info]:   8:00am up 21 days, 22:07 0 NFS ops, 0 CIFS ops, 0 HTTP ops, 131893495 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb01 [netappb01: kern.uptime.filer:info]:   8:00am up 13 days, 13:58 27873 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 0 iSCSI ops
Dec  2 08:00:00 netappb02 [netappb02: kern.uptime.filer:info]:   8:00am up  3 days, 12:54 328648270 NFS ops, 0 CIFS ops, 11 HTTP ops, 117737997 FCP ops, 0 iSCSI ops

Each performance pair that I care about in there can be easily described with:

[value] [key] ops,

The following PCRE extracts the info into named groups perfectly:

(?<perf_value>\d+)\s(?<perf_key>\w+)(?:\sops)

Will my only choice be to iterate through looking for each protocol and assigning it a value, or is there some efficient way to allow it to recognize the key/value pairs without having to iterate through defining, identifying and parsing out the value?

I've been monkeying around with extract and multikv, but I'm not seeing any way that stands out with the formatting of this data. I'm curious about kvform, but reading the help on it, it would seem as though it expects traditional key-then-value format and I'm not sure if there's a way to get it to recognize the reverse.

Tangent Question: Is it more efficient to use the PCRE above with the terminating non-capturing atomic group, or to use lookahead like so (both work):

(?<perf_value>\d+)\s(?<perf_key>\w+)(?=\sops)

Thanks!

Jim

1 Solution

dwaddle
SplunkTrust
SplunkTrust

This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype is set to netapp.

(props.conf)

[netapp]
REPORT-netapp=netapp

(transforms.conf)

[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

This should be much, much easier done in props/transforms. These worked for me with your data - under the assumption that your sourcetype is set to netapp.

(props.conf)

[netapp]
REPORT-netapp=netapp

(transforms.conf)

[netapp]
REGEX=(\d+)\s(\w+)(?:\sops)
FORMAT = $2::$1

crberus
Explorer

Very sorry for the super late response, but my task list was abruptly redirected and I only just now had a chance to get back to this project. Your suggestion worked perfectly - thank you very much for your help!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

progress? success? I'm curious... 🙂

0 Karma

crberus
Explorer

Thank you - I was apparently too focused on widdling it down in search first and hadn't moved on to attempting to do it in props/transforms. I am going to add it in and I will confirm your answer shortly!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...