----------------------- DISK INFORMATION ----------------------------
DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="210G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE"
DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="100G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"
My log (multiline event) looks like this but Splunk is automatically extracting just the first line . I want to extract all the values.
for example:
NAME=sda
NAME=sdb
Could someone please help me with it
Hi @ranjithan,
please try this
| rex "(?ms)^DISK\=\"(?<DISK>[^\"]+)\"\s+NAME\=\"(?<NAMA>[^\"]+)\"\s+HCTL\=\"(?<HCTL>[^\"]+)\"\s+TYPE\=\"(?<TYPE>[^\"]+)\"\s+VENDOR\=\"(?<VENDOR>[^\"]+)\"\s+SIZE\=\"(?<SIZE>[^\"]+)\"\s+SCSIHOST\=\"(?<SCSIHOST>[^\"]+)\"\s+CHANNEL\=\"(?<CHANNEL>[^\"]+)\"\s+ID\=\"(?<ID>[^\"]+)\"\s+LUN\=\"(?<LUN>[^\"]+)\"\s+BOOTDISK\=\"(?<BOOTDISK>[^\"]+)\""
that you can test at https://regex101.com/r/LrfKpR/1
Ciao.
Giuseppe
Hi @ranjithan,
please try this
| rex "(?ms)^DISK\=\"(?<DISK>[^\"]+)\"\s+NAME\=\"(?<NAMA>[^\"]+)\"\s+HCTL\=\"(?<HCTL>[^\"]+)\"\s+TYPE\=\"(?<TYPE>[^\"]+)\"\s+VENDOR\=\"(?<VENDOR>[^\"]+)\"\s+SIZE\=\"(?<SIZE>[^\"]+)\"\s+SCSIHOST\=\"(?<SCSIHOST>[^\"]+)\"\s+CHANNEL\=\"(?<CHANNEL>[^\"]+)\"\s+ID\=\"(?<ID>[^\"]+)\"\s+LUN\=\"(?<LUN>[^\"]+)\"\s+BOOTDISK\=\"(?<BOOTDISK>[^\"]+)\""
that you can test at https://regex101.com/r/LrfKpR/1
Ciao.
Giuseppe
Thank you. let me try...
Hi @ranjithan,
if this answer solves your need, please accept it for the other epople of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi
if your input file or what ever is generating this is like this (one DISK on every line)
DISK="/dev/sda" NAME="sda" HCTL="0:0:0:0" TYPE="disk" VENDOR="VMware " SIZE="210G" SCSIHOST="0" CHANNEL="0" ID="0" LUN="0" BOOTDISK="TRUE"
DISK="/dev/sdb" NAME="sdb" HCTL="0:0:1:0" TYPE="disk" VENDOR="VMware " SIZE="100G" SCSIHOST="0" CHANNEL="0" ID="1" LUN="0" BOOTDISK="FALSE"
then you can use props.conf in HF/IDX (which one is first from your source)
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
Basically this is what splunk is doing without any configurations.
How you are collecting that disk information?
r. Ismo
it is based on shell script output.
Kindly suggest if it could be done via SPL or regex extractions..