From events of the form:
Filesystem Type Size Used Avail UsePct MountedOn
/dev/mapper/stuff1 ext4 50G 3.4G 44G 8% /
/dev/mapper/stuff2 ext4 485M 86M 374M 19% /boot
/dev/mapper/stuff3 ext4 926G 245M 879G 1% /home
/dev/mapper/stuff4 ext4 9.9T 4.8T 4.7T 51% /opt
These need to be accepted into fields and displayed in a chart.
index=os sourcetype=df host="host11" | rex max_match=4 field=_raw ".*?\n(?<Filesystem>[^F]\S+)\s+(?<Type>\S+)\s+(?<Size>\S+)\s+(?<Used>\S+)\s+(?<Avail>\S+)\s+(?<UsePct>\S+)\s+(?<MountedOn>\S+)" | table _time Filesystem, Type, Size, Used, Avail, UsePct, MountedOn
index=os sourcetype=df host="host11" | rex max_match=4 field=_raw ".*?\n(?<Filesystem>[^F]\S+)\s+(?<Type>\S+)\s+(?<Size>\S+)\s+(?<Used>\S+)\s+(?<Avail>\S+)\s+(?<UsePct>\S+)\s+(?<MountedOn>\S+)" | table _time Filesystem, Type, Size, Used, Avail, UsePct, MountedOn
Looks like multikv works too with much less regex knowledge, but the result has each line as a separate table entry:
index=os sourcetype=df host="host11" | multikv fields Filesystem Type Size Used Avail UsePct MountedOn | table _time Filesystem, Type, Size, Used, Avail, UsePct, MountedOn