Splunk Search

Creating a table from a single event with multivalue field

Path Finder

I have an event that has disk information like: there are hosts that have more mountpoints or less mountpoints. So I need to automate this.


Now =Ii'm trying to get a table like:
Mountpoint | used | crit ....
/ | 1828716544 | 4392484864 ...


Because there were misunderstandings, here a little bit more details:

The event can no be split because there are much more details in it that i use. The event contains only information for a single host. In the example above, there are only a few "mountpoints" in this example i have the fields /, /_crit, /_max, /_warn what are automatically extracted from Splunk.(There can be a lot more of the fields for example /var/log or /opt/ and so on So it need to be dynamic).

Now i want to calculate per "mounpoint" (like, / and /boot in the example) the usage, max...)

I was thinking it was helpful to create a MV with regex that i have all paths in a field (Path has the values / and /boot).

0 Karma
1 Solution

Path Finder
index=* sourcetype=mysourcetype check_command=disk hostname=myhostname
| dedup hostname 
| rex mode=sed "s/(\"\_(\/|\/[a-zA-Z\/]+))\"/\1_used\"/g"
| rex max_match=0 "(?<bbb>\"\_(\/|\/[a-zA-Z\/]+)\_\w+\"\:\d+\.\d+\,)" 
| table bbb | eval aaa=mvsort(bbb)
| rex max_match=0 field=aaa "\_(?<path>(\/|\/[a-zA-Z\/]+)\_used)\"\:(?<used>\d+)"
| rex max_match=0 field=aaa "_crit\":(?<crit>\d+)" 
| rex max_match=0 field=aaa "_max\":(?<max>\d+)"
| rex max_match=0 field=aaa "_warn\":(?<warn>\d+)" 
| eval zip=mvzip(path,used,"##") 
| eval zip=mvzip(zip,crit,"##")
| eval zip=mvzip(zip,max,"##")
| eval zip=mvzip(zip,warn,"##")
| mvexpand zip 
|rex max_match=0 field=zip "(?<path>.*)##(?<used>.*)##(?<crit>.*)##(?<max>.*)##(?<warn>.*)" 
| fields - zip 
| eval used=used/1024/1024
| eval crit=crit/1024/1024 
| eval max=max/1024/1024 
| eval warn=warn/1024/1024
| eval free=max-used
| eval percent=(used/max*100)
| eval percent=round(percent,0)
| table path free used  max percent
| rex mode=sed field=path "s/_used//" 

here is my result, the main event was JSON and the mountpoint were not sorted, so i need to modify first with sed the fields before i can sort i with mvsort correctly. Then i created some more MV-Fields with rex and create an "array" with mvzip.

For me, this is a good solution. I can process several fields per event in this way. it performs very well for me.

View solution in original post

0 Karma

Path Finder
index=* sourcetype=mysourcetype check_command=disk hostname=myhostname
| dedup hostname 
| rex mode=sed "s/(\"\_(\/|\/[a-zA-Z\/]+))\"/\1_used\"/g"
| rex max_match=0 "(?<bbb>\"\_(\/|\/[a-zA-Z\/]+)\_\w+\"\:\d+\.\d+\,)" 
| table bbb | eval aaa=mvsort(bbb)
| rex max_match=0 field=aaa "\_(?<path>(\/|\/[a-zA-Z\/]+)\_used)\"\:(?<used>\d+)"
| rex max_match=0 field=aaa "_crit\":(?<crit>\d+)" 
| rex max_match=0 field=aaa "_max\":(?<max>\d+)"
| rex max_match=0 field=aaa "_warn\":(?<warn>\d+)" 
| eval zip=mvzip(path,used,"##") 
| eval zip=mvzip(zip,crit,"##")
| eval zip=mvzip(zip,max,"##")
| eval zip=mvzip(zip,warn,"##")
| mvexpand zip 
|rex max_match=0 field=zip "(?<path>.*)##(?<used>.*)##(?<crit>.*)##(?<max>.*)##(?<warn>.*)" 
| fields - zip 
| eval used=used/1024/1024
| eval crit=crit/1024/1024 
| eval max=max/1024/1024 
| eval warn=warn/1024/1024
| eval free=max-used
| eval percent=(used/max*100)
| eval percent=round(percent,0)
| table path free used  max percent
| rex mode=sed field=path "s/_used//" 

here is my result, the main event was JSON and the mountpoint were not sorted, so i need to modify first with sed the fields before i can sort i with mvsort correctly. Then i created some more MV-Fields with rex and create an "array" with mvzip.

For me, this is a good solution. I can process several fields per event in this way. it performs very well for me.

0 Karma


If you are trying to get a horizontal table of all mountpoints for each host, then this will calculate them.

 your base search which includes hostname and multivalued field Mountpoint 
 | table hostname Mountpoint
 | mvexpand Mountpoint 
 | rex field=Mountpoint "(?<Mountpoint>[^\=]+)\=(?<used>\d+)" 

 | rename COMMENT as "Deal with things that wouldn't be valid variable names"
 | replace "\\" WITH "XX_" IN Mountpoint
 | eval {Mountpoint} = used
 | fields - Mountpoint used
 | stats values(*) as * by hostname

At this point, the values are splayed out horizontally, but I'm not sure how useful that will be to look at. Using chart with useother=f will give you a pretty wide thing to look at.

Unless you have a reason to want to compare the mountpoints across hosts, you might be better off going this way...

 your base search which includes hostname and multivalued field Mountpoint 
 | table hostname Mountpoint
 | mvexpand Mountpoint 
 | rex field=Mountpoint "(?<Mountpoint>[^\=]+)\=(?<used>\d+)" 
 | sort 0 hostname Mountpoint
 | stats list(Mountpoint) as Mountpoint  list(used) as used by hostname
0 Karma

Path Finder

hi, thanks for your answer. I don't think that works. I update the question, that the question is more understandable.

0 Karma


@ColinCH - I don't recognize why _crit would roll up, or what the rest of your desired chart might look like.

@somesoni2's answer will work if you are willing to take each individual mountpount as listed.

If you want to roll up the mountpoints, like if everything under / needs to be tabled somehow as belonging to /, and everything under /foo/bar needs to be rolled up to /foo, then you should give us a clear picture of what the specs might be, with example data and the layout, more than a single line.

0 Karma

Revered Legend

Try like this

your base search which includes multivalued field Mountpoint 
| mvexpand Mountpoint 
| rex field=Mountpoint "(?<Mountpoint>[^\=]+)\=(?<used>\d+)" 
| table Mountpoint used ..anyother field you need

Path Finder

Thanks, but that is not what i want. I've updates my initial question. So there are much more detail now.

0 Karma

Splunk Employee
Splunk Employee

Are the values consistent in the multivalue field? If so, you could use mvindex to create a field for each.

YOUR BASE SEARCH | | eval field1=mvindex(bytes,0) | eval field2=mvindex(bytes,1)
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c; Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...