Two ways, I would say.
Nontraditional for Splunk, but probably the neatest way to handle this data:
[openvzbeancounters]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\s*\d+\:
EXTRACT-veid = ^\s*(?<veid>\d+)\:
SEDCMD-fields = s/(?-m)((?:^\s*\d+\:|[\r\n]+\s*))(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+/\1 \2_held=\3 \2_maxheld=\4 \2_barrier=\5 \2_limit=\6 \2_failcnt=\7/g
KV_MODE=auto
Your data will be transformed during input to a format more suitable for Splunk to deal with, and you'll get a record for each veid with each stat with a different name and you can do stuff like:
sourcetype=openvzbeancounters veid!=0 | stats avg(kmemsize_held), avg(kmemsize_maxheld)
Alternatively, if for some reason you need the original file format stored in Splunk, props.conf :
[openvzbeancounters]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\s*\d+\:
EXTRACT-veid = ^\s*(?<veid>\d+)\:
REPORT-fields = ext_held,ext_maxheld,ext_barrier,ext_limit,ext_failcnt
Then, in transforms.conf
[ext_held]
REGEX = (?-m)(?:^\s*\d+\:|[\r\n]+\s*)(?<_KEY_1>\S+)\s+(?<_VAL_1>\S+)
MV_ADD = true
[ext_maxheld]
REGEX = (?-m)(?:^\s*\d+\:|[\r\n]+\s*)(?<_KEY_1>\S+)\s+\S+\s+(?<_VAL_1>\S+)
MV_ADD = true
[ext_barrier]
REGEX = (?-m)(?:^\s*\d+\:|[\r\n]+\s*)(?<_KEY_1>\S+)\s+(?:\S+\s+){2}(?<_VAL_1>\S+)
MV_ADD = true
[ext_limit]
REGEX = (?-m)(?:^\s*\d+\:|[\r\n]+\s*)(?<_KEY_1>\S+)\s+(?:\S+\s+){3}(?<_VAL_1>\S+)
MV_ADD = true
[ext_failcnt]
REGEX = (?-m)(?:^\s*\d+\:|[\r\n]+\s*)(?<_KEY_1>\S+)\s+(?:\S+\s+){4}(?<_VAL_1>\S+)
MV_ADD = true
Then, when you search or report on your data, you'll have to use mvindex to get at the individual fields for each counter:
sourcetype=openvzbeancounters veid=200 | eval kmemsize_held=mvindex(kmemsize,0)
or
sourcetype=openvzbeancounters veid=200 | timechart sum(eval(mvindex(kmemsize,4))) as kmemsize_failcnt_total
Where the index number corresponds to the order of the fields listed in the REPORT-fields clause, starting from zero.
... View more
