Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splitting output and field extraction

Branden
Builder
‎08-26-2010 06:49 PM

I'm using Subsystem Device Drivers (SDD) on an AIX system to monitor SAN LUNs. When I run "datapath query devstats" command, I get output that looks like this:

Device #:  35
=============
                Total Read  Total Write  Active Read  Active Write   Maximum
I/O:             301295802      7081834            0             0        40
SECTOR:          967435533   1003883755            0             0     11424
Transfer Size:      <= 512        <= 4k       <= 16K        <= 64K     > 64K
                     13566        32412    301058990       4143978   3128690

(The spacing isn't coming out correctly on this form, but you get the idea).

It lists X number of the above depending on how many LUNs I have assigned. In this case, there will be 36 entries (0-35, #35 being the one I just pasted).

What I need is to capture the device IDs as well as "Total Read" and "Total Write" fields for both I/O and SECTOR for each device.

This command would be running every hour, its output sent directly to Splunk.

The trick here will be telling Splunk to split the output up per Device, and then extracting the needed fields across multiple lines.

Is this possible? If so, how do I tell Splunk to break the output up into chunks divided in a certain spot?

Thanks!

Tags (1)
0 Karma
Reply

Brian_Osburn
Builder
‎08-26-2010 07:25 PM

I'd modify the linebreak to include the whole event.

In addition, I was able to extract to fields using something like this:

|file /tmp/test.txt | rex field=_raw "Device #:\s+(?P<device_id>[\d]+)" | rex field=_raw "I\/O:\s+(?P<total_read_io>[\d]+)\s+(?P<total_write_io>[\d]+)\s+" | rex field=_raw "SECTOR:\s+(?P<sector_write_io>[\d]+)\s+(?P<sector_read_io>[\d]+)\s+"

Brian

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 11:19 PM

You can change how events are broken up (on input, so you may need to reindex data until it's right) using the BREAK_ONLY_BEFORE parameter in props.conf. That's probably the easiest way to configure it, something like BREAK_ONLY_BEFORE = ^Device #: \d+

0 Karma
Reply

Branden
Builder
‎08-26-2010 07:50 PM

Brian,

Thank you for your comment.
How do I go about modifying the link break to include the whole event? Can you provide some clarification on that?
Thanks!

0 Karma
Reply

Branden
Builder
‎08-26-2010 07:14 PM

Thanks for the edit, looks great!
One thing for people to note: the "Device #: 35" and the equal signs below it are part of the output as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...