I tried the below but I get lots of entries with "empty" vol names and not sure how to also list by Host.

index=nasuni sourcetype=Nasuni_* | eval vol_combine = "" | fillnull value="" | foreach volumeTableDescription* [eval vol_combine=vol_combine." ".'<<FIELD>>'] | makemv vol_combine | table vol_combine

Can you share the raw events that you have?

Yes, here is an example.  Thanks!

timestamp=1628083691 volumeTableDescription.0 = "IND" volumeTableDescription.1 = "NMG" volumeTableProvider.0 = "Amazon S3" volumeTableProvider.1 = "Amazon S3" volumeTableProtocol.0 = "proto_CIFS" volumeTableProtocol.1 = "proto_CIFS" volumeTableStatus.0 = "available" volumeTableStatus.1 = "available" volumeTableAccessibleData.0 = "792058246622" volumeTableAccessibleData.1 = "431253442376050" volumeTableUnprotectedData.0 = "248054173696" volumeTableUnprotectedData.1 = "0" volumeTableLastSnapshotStart.0 = "2021/Aug/04/12.16.31UTC" volumeTableLastSnapshotStart.1 = "2021/Aug/04/13.08.44UTC" volumeTableLastSnapshotEnd.0 = "2021/Aug/04/12.54.49UTC" volumeTableLastSnapshotEnd.1 = "2021/Aug/04/13.08.56UTC" volumeTableLastSnapshotDuration.0 = "2298" volumeTableLastSnapshotDuration.1 = "12" volumeTableLastSnapshotVersion.0 = "318" volumeTableLastSnapshotVersion.1 = "653391" volumeTableIsActive.0 = "1" volumeTableIsActive.1 = "1" volumeTableIsShared.0 = "0" volumeTableIsShared.1 = "0" volumeTableIsReadOnly.0 = "0" volumeTableIsReadOnly.1 = "0" volumeTableIsPinned.0 = "0" volumeTableIsPinned.1 = "0" volumeTableIsRemote.0 = "1" volumeTableIsRemote.1 = "1" volumeTableAvEnabled.0 = "0" volumeTableAvEnabled.1 = "0" volumeTableRemoteAccessEnabled.0 = "0" volumeTableRemoteAccessEnabled.1 = "0" volumeTableQuota.0 = "0" volumeTableQuota.1 = "0" volumeTableNumAVViolations.0 = "0" volumeTableNumAVViolations.1 = "0" volumeTableNumFileAlerts.0 = "0" volumeTableNumFileAlerts.1 = "0" volumeTableNumExports.0 = "0" volumeTableNumExports.1 = "0" volumeTableNumShares.0 = "5" volumeTableNumShares.1 = "5" volumeTableNumFtpdirs.0 = "0" volumeTableNumFtpdirs.1 = "0"

Thanks. It looks like that event works with your processing in that you get a mv field with IND and NMG in. Do you have an example of an event that doesn't work, or is it just a case that you want to ignore events which don't work?

Your question actually helped, I was using a * in my sourcetype.  I changed it to only look at Volume and now the spaces are gone.  It now looks like below.  How do I add a Host field and show volumes per host?

host would normally be added by the forwarders/indexers so you should just be able to reference it

| table host vol_combine

That works but now I have multiple entries for the same host reporting the same volume.  How do I get it to only list each host once with the respective volumes?

Thank you very much!  This is exactly what I needed. 🙂