index=* sourcetype=mysourcetype check_command=disk hostname=myhostname
| dedup hostname
| rex mode=sed "s/(\"\_(\/|\/[a-zA-Z\/]+))\"/\1_used\"/g"
| rex max_match=0 "(?<bbb>\"\_(\/|\/[a-zA-Z\/]+)\_\w+\"\:\d+\.\d+\,)"
| table bbb | eval aaa=mvsort(bbb)
| rex max_match=0 field=aaa "\_(?<path>(\/|\/[a-zA-Z\/]+)\_used)\"\:(?<used>\d+)"
| rex max_match=0 field=aaa "_crit\":(?<crit>\d+)"
| rex max_match=0 field=aaa "_max\":(?<max>\d+)"
| rex max_match=0 field=aaa "_warn\":(?<warn>\d+)"
| eval zip=mvzip(path,used,"##")
| eval zip=mvzip(zip,crit,"##")
| eval zip=mvzip(zip,max,"##")
| eval zip=mvzip(zip,warn,"##")
| mvexpand zip
|rex max_match=0 field=zip "(?<path>.*)##(?<used>.*)##(?<crit>.*)##(?<max>.*)##(?<warn>.*)"
| fields - zip
| eval used=used/1024/1024
| eval crit=crit/1024/1024
| eval max=max/1024/1024
| eval warn=warn/1024/1024
| eval free=max-used
| eval percent=(used/max*100)
| eval percent=round(percent,0)
| table path free used max percent
| rex mode=sed field=path "s/_used//"
here is my result, the main event was JSON and the mountpoint were not sorted, so i need to modify first with sed the fields before i can sort i with mvsort correctly. Then i created some more MV-Fields with rex and create an "array" with mvzip.
For me, this is a good solution. I can process several fields per event in this way. it performs very well for me.
... View more