Hello Splunkers.
I'm indexing some SNMP data from a server.
Here is one event indexed:
HOST-RESOURCES-MIB::hrStorageDescr."31" = "/"
HOST-RESOURCES-MIB::hrStorageDescr."35" = "/tmp"
HOST-RESOURCES-MIB::hrStorageDescr."36" = "/home"
HOST-RESOURCES-MIB::hrStorageDescr."37" = "/usr"
HOST-RESOURCES-MIB::hrStorageDescr."38" = "/usr/local"
HOST-RESOURCES-MIB::hrStorageDescr."39" = "/var"
HOST-RESOURCES-MIB::hrStorageDescr."40" = "/var/log"
HOST-RESOURCES-MIB::hrStorageDescr."41" = "/opt"
HOST-RESOURCES-MIB::hrStorageDescr."42" = "/opt/nds/data"
HOST-RESOURCES-MIB::hrStorageDescr."43" = "/var/log/nds"
HOST-RESOURCES-MIB::hrStorageDescr."44" = "/var/log/splunk"
HOST-RESOURCES-MIB::hrStorageDescr."45" = "/boot"
HOST-RESOURCES-MIB::hrStorageSize."1" = "132061388"
HOST-RESOURCES-MIB::hrStorageSize."3" = "168263816"
HOST-RESOURCES-MIB::hrStorageSize."6" = "132061388"
HOST-RESOURCES-MIB::hrStorageSize."7" = "94129872"
HOST-RESOURCES-MIB::hrStorageSize."10" = "36202428"
HOST-RESOURCES-MIB::hrStorageSize."31" = "1015393"
HOST-RESOURCES-MIB::hrStorageSize."35" = "1015385"
HOST-RESOURCES-MIB::hrStorageSize."36" = "1523090"
HOST-RESOURCES-MIB::hrStorageSize."37" = "2030792"
HOST-RESOURCES-MIB::hrStorageSize."38" = "1015385"
HOST-RESOURCES-MIB::hrStorageSize."39" = "2030792"
HOST-RESOURCES-MIB::hrStorageSize."40" = "2538497"
HOST-RESOURCES-MIB::hrStorageSize."41" = "12696559"
HOST-RESOURCES-MIB::hrStorageSize."42" = "5073149"
HOST-RESOURCES-MIB::hrStorageSize."43" = "19045441"
HOST-RESOURCES-MIB::hrStorageSize."44" = "7384608"
HOST-RESOURCES-MIB::hrStorageSize."45" = "507684"
HOST-RESOURCES-MIB::hrStorageUsed."1" = "102838612"
HOST-RESOURCES-MIB::hrStorageUsed."3" = "102838612"
HOST-RESOURCES-MIB::hrStorageUsed."6" = "4708464"
HOST-RESOURCES-MIB::hrStorageUsed."7" = "94129872"
HOST-RESOURCES-MIB::hrStorageUsed."10" = "0"
HOST-RESOURCES-MIB::hrStorageUsed."31" = "188130"
HOST-RESOURCES-MIB::hrStorageUsed."35" = "55800"
HOST-RESOURCES-MIB::hrStorageUsed."36" = "1302834"
HOST-RESOURCES-MIB::hrStorageUsed."37" = "868359"
HOST-RESOURCES-MIB::hrStorageUsed."38" = "165013"
HOST-RESOURCES-MIB::hrStorageUsed."39" = "1473096"
HOST-RESOURCES-MIB::hrStorageUsed."40" = "1659690"
HOST-RESOURCES-MIB::hrStorageUsed."41" = "9159791"
HOST-RESOURCES-MIB::hrStorageUsed."42" = "779795"
HOST-RESOURCES-MIB::hrStorageUsed."43" = "8276891"
HOST-RESOURCES-MIB::hrStorageUsed."44" = "86509"
HOST-RESOURCES-MIB::hrStorageUsed."45" = "13485"
What I want to do is something like the table below:
Partition Avail. Used Used%
/ 1015393 188130 18,52
/tmp 1015385 55800 5,49
/home 1523090 1302834 85,53
/usr 2030792 868359 42,75
/usr/local 1015385 165013 16,25
/var 2030792 1473096 72,53
/var/log 2538497 1659690 65,38
/opt 12696559 9159791 72,14
/opt/ser/data 5073149 779795 15,37
/var/log/ser 19045441 8276891 43,45
/var/log/splunk 7384608 86509 1,17
/boot 507684 13485 2,65
I'd like to use the "id"
in each line to correlate to the same "id"
in other line.
How can I do this?
Thanks in advance!
Agree. If you've control, can you change the line breaking of events to treat each line as separate events? If not, we need to do the same via search time operation, like this
your base search
| rex max_match=0 "HOST-RESOURCES-MIB::hrStorage(?<temp>\w+\.\"\d+\" \= \"[^\"]+\")"
| table temp | mvexpand temp
| rex field=temp "(?<Metrics>\w+)\.\"(?<ID>\d+)\" \= \"(?<Val>[^\"]+)\""
| chart values(Val) over ID by Metrics
| rename Descr as Partition Size as Avail
| table Partition Avail Used | eval "Used%"=round(Used*100/Avail,2)
Agree. If you've control, can you change the line breaking of events to treat each line as separate events? If not, we need to do the same via search time operation, like this
your base search
| rex max_match=0 "HOST-RESOURCES-MIB::hrStorage(?<temp>\w+\.\"\d+\" \= \"[^\"]+\")"
| table temp | mvexpand temp
| rex field=temp "(?<Metrics>\w+)\.\"(?<ID>\d+)\" \= \"(?<Val>[^\"]+)\""
| chart values(Val) over ID by Metrics
| rename Descr as Partition Size as Avail
| table Partition Avail Used | eval "Used%"=round(Used*100/Avail,2)
somesoni2 - That is great that you had that so quickly! Definitely do this as an answer, then if guimilare can't separate the event in to individual lines, he can accept that as the answer. I think this has some great potential for plenty of other people and having ti flagged as answered and accepted will help. You really have some great answers here and I think that sometimes your answers just get hidden down in the comments. Heaven knows you don't need the karma, but it would help know that a good and accepted answer is here. Thanks!!! 🙂 🙂
I have to agree. Sometimes I just change somesoni2's comments to answers myself... because often they are.
Hi somesoni2, it worked perfectly!! Thank you very much!
Our team is evaluating both event breaking methods to determinate wich on of them will give us simpler SPL searches.
Thank you both somesoni2 and cpetterborg for your answers! They helped a lot!
That is one single event right?
It would be much easier if it were a separate event for each line. Then you could use eval to get the number, tie the event together by the number, extract the fields, then combine through a table and eval the %Used.
That's correct