Multi value regex

theouhuios · ‎10-14-2013

Hello

I am trying to extract multiple values of single field name.

 SysStatsUtilizationDiskSpace=17.58% /, SysStatsUtilizationDiskSpace=11.25% /storedconfig, SysStatsUtilizationDiskSpace=7.11% /tmp, SysStatsUtilizationDiskSpace=6.37% /localdisk, SysStatsUtilizationDiskSpace=11.15% /boot,

Here I am trying to extract the value without % and also the filesystem for it. I am using the MV_ADD , but it doesn't actually work. Do I need to define two stanzas for it to work? The reason why I am doing this is because I want it to be like disk_boot = 11.15 . Any ideas?

[disk_space]
REGEX = DiskSpace\=([^%]+)\%\s+\/([^,]*)\,
FORMAT = disk_$2::$1
MV_ADD = True

emiller42 · ‎10-14-2013

Unfortunately, you can't do concatentated fields in search-time extractions. I would recommend doing something like:

[disk_space]
REGEX = DiskSpace\=([^%]+)\%\s+(/[^,]*)\,
FORMAT = diskSpace::$1 filesystem::$2

(I modified the regex to include the leading / in the filesystem, that way you don't get null values for diskSpace)

This will give you events with the following:

diskSpace=17.58 filesystem="/"
diskSpace=11.25 filesystem="/storedconfig"
diskSpace=7.11 filesystem="/tmp"
etc

Multi value regex

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Multi value regex

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk