I want to convert below output to more meaningful
L2cache0 size 0 cd0 audio_supported yes cd0 cdda_supported yes cd0 data_verify enable cd0 prevent_eject yes en0 alias4 en0 alias6 en0 arp on en0 authority en0 broadcast en0 mtu 1500 en0 netaddr 126.96.36.199 en0
This is for host1 and similarly for all other hosts. To something like:-
Hosts Devicename Attribute Value host1 L2cache0 size 0 host1 cd0 audio_supported yes host1 cd0 data_verify enable
and so on....
This is certainly a little tricky but is definitely doable. Below is a search sample. Assume that you have a field called "metrics" with the above data.
... | rex field=metrics "(?<metric_triple>\w+ \w+ \w+)" max_match=100 | fields - metrics | mvexpand metric_triple | rex field=metric_triple "(?<Devicename>\w+) (?<Attribute>\w+) (?<Value>\w+)" | fields - metric_triple
The next lines pull out triples of strings, we expand each event into one per triple and finally pull out the three fields for each metric.
Interested readers can simulate this data with the lines:
| stats count as host | eval host = "foo" | eval metrics = "L2cache0 size 0 cd0 audio_supported yes cd0 cdda_supported yes cd0 data_verify enable cd0 prevent_eject yes en0 alias4 en0 alias6 en0 arp on en0 authority en0 broadcast en0 mtu 1500 en0 netaddr 188.8.131.52 en0"
It's not clear to me from your post what the exact sed command is that you what but here is an example of using the SEDCMD to clean up stuff that you should be able to modify to your own needs:
Assuming you have a source type of voxeo_hosted_file you would do something like this:
[voxeo_hosted_file] # Each of these SED commands is executed on the input stream SEDCMD-encode = s/Zyzzyva/SuperHostName/g s/\./ /g s/\//_/g
Original log line:
Modified Log message after sed processing:
CXV0083919952_SuperHostName_2010 06 20 15 22 42 536_OS_UserName_0eb59c29b4a2ba03=rj
Hopefully this helps.
You might want to re-edit and use the formatting and preview box (below the edit windows) to see how your post will look to others and to format it to make it look how you want. It's hard to see what you have and what you want to format in its current form.