Splunk Search

My events are in the below mentioned description format, How can extract fields with multi values, perfect solution/query ?

Rakesh_597
Engager

Event 1:
Filesystem Type Size Used Avail UsePct MountedOn
/dev/mapper/rootvg-rootlv ext3 6.0G 4.0G 1.7G 71% /
/dev/sda1 ext3 194M 65M 120M 36% /boot
/dev/mapper/rootvg-home_lv ext3 2.0G 636M 1.3G 34% /local_home
/dev/mapper/rootvg-opt_lv ext3 6.0G 2.0G 3.8G 34% /opt
/dev/mapper/rootvg-tmp_lv ext3 2.0G 345M 1.6G 18% /tmp
/dev/mapper/rootvg-usr_lv ext3 2.0G 116M 1.8G 7% /usr/local
/dev/mapper/rootvg-var_lv ext3 4.0G 1.9G 2.0G 50% /var
/dev/mapper/rootvg-history_lv ext3 2.0G 68M 1.9G 4% /history_logs
/dev/mapper/appvg-apigee_lv ext3 197G 3.6G 184G 2% /usr/apigee
/dev/mapper/appvg-opt_apigee_lv ext4 197G 17G 171G 9% /opt/apigee
/dev/mapper/appvg-venafi_lv ext3 1012M 34M 928M 4% /venafi

Event 2:
Filesystem Type Size Used Avail UsePct MountedOn
/dev/mapper/rootvg-rootlv ext3 15G 5.3G 8.5G 39% /
devtmpfs devtmpfs 16G 0 16G 0% /dev
/dev/sda1 ext3 190M 134M 47M 75% /boot
/dev/mapper/appvg-venafi_lv ext4 976M 2.6M 907M 1% /venafi
/dev/mapper/appvg-srcctmag_lv ext4 9.8G 1.7G 7.6G 19% /srcctmag
/dev/mapper/appvg-usr_apigee ext4 99G 395M 93G 1% /usr/apigee
/dev/mapper/appvg-apps_lv ext3 32G 49M 30G 1% /apps
/dev/mapper/rootvg-history_lv ext3 2.0G 3.1M 1.9G 1% /history_logs
/dev/mapper/rootvg-usr_lv ext3 2.0G 60M 1.8G 4% /usr/local
/dev/mapper/rootvg-home_lv ext3 2.0G 173M 1.7G 10% /local_home
/dev/mapper/rootvg-tmp_lv ext3 2.0G 166M 1.7G 9% /tmp
/dev/mapper/rootvg-var_lv ext3 5.0G 1.7G 3.1G 36% /var
/dev/mapper/rootvg-opt_lv ext3 5.8G 1.1G 4.5G 19% /opt
/dev/mapper/appvg-opt_apigee ext4 197G 90G 97G 49% /opt/apigee

Event 3:
Filesystem Type Size Used Avail UsePct MountedOn
/dev/mapper/rootvg-root xfs 6.0G 2.7G 3.4G 45% /
devtmpfs devtmpfs 16G 0 16G 0% /dev
/dev/sda1 xfs 1014M 165M 850M 17% /boot
/dev/mapper/rootvg-venafi_lv xfs 1014M 33M 982M 4% /venafi
/dev/mapper/rootvg-var xfs 4.0G 2.9G 1.2G 71% /var
/dev/mapper/rootvg-local_home xfs 2.0G 93M 2.0G 5% /local_home
/dev/mapper/appvg-controlm_lv xfs 3.0G 33M 3.0G 2% /controlm
/dev/mapper/rootvg-temp xfs 1.1G 33M 1.1G 3% /temp
/dev/mapper/rootvg-history_logs_lv xfs 2.0G 39M 2.0G 2% /var/history_logs
/dev/mapper/appvg-apiusr_lv xfs 200G 544M 200G 1% /usr/apigee
/dev/mapper/rootvg-tmp xfs 2.0G 97M 1.9G 5% /tmp
/dev/mapper/rootvg-opt xfs 6.0G 1.7G 4.3G 29% /opt
/dev/mapper/appvg-apiopt_lv xfs 200G 4.7G 196G 3% /opt/apigee
/dev/mapper/rootvg-itm_lv xfs 3.0G 397M 2.7G 13% /opt/IBM/ITM
/dev/mapper/appvg-apps ext4 32G 49M 30G 1% /apps

0 Karma

woodcock
Esteemed Legend

That is the whole point of multikv:

|makeresults | eval _raw="Filesystem                      Type Size Used Avail UsePct MountedOn
/dev/mapper/rootvg-rootlv       ext3 6.0G 4.3G  1.4G    77% /
/dev/sda1                       ext3 194M  78M  107M    43% /boot
/dev/mapper/rootvg-home_lv      ext3 2.0G 528M  1.4G    28% /local_home
/dev/mapper/rootvg-opt_lv       ext3 6.0G 1.2G  4.5G    21% /opt
/dev/mapper/rootvg-tmp_lv       ext3 2.0G 230M  1.7G    13% /tmp
/dev/mapper/rootvg-usr_lv       ext3 2.0G 116M  1.8G     7% /usr/local
/dev/mapper/rootvg-var_lv       ext3 4.0G 1.4G  2.4G    37% /var
/dev/mapper/rootvg-history_lv   ext3 2.0G  68M  1.9G     4% /history_logs
/dev/mapper/rootvg-itm_lv       ext3 3.0G 608M  2.3G    22% /opt/IBM/ITM
/dev/mapper/appvg-apps_lv       ext3  32G 177M   30G     1% /apps
/dev/mapper/appvg-usr_apigee_lv ext3 197G 485M  187G     1% /usr/apigee
/dev/mapper/appvg-apilogs_lv    ext3  20G 173M   19G     1% /apilogs
/dev/mapper/appvg-Introscope_lv ext3 3.0G  69M  2.8G     3% /Introscope
/dev/mapper/rootvg-venafi_lv    ext4 976M 1.3M  924M     1% /venafi
/dev/mapper/appvg-opt_apigee_lv ext4 197G 8.9G  178G     5% /opt/apigee"
| multikv forceheader=1 copyattrs=t
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...