Hello
I am trying to extract multiple values of single field name.
SysStatsUtilizationDiskSpace=17.58% /, SysStatsUtilizationDiskSpace=11.25% /storedconfig, SysStatsUtilizationDiskSpace=7.11% /tmp, SysStatsUtilizationDiskSpace=6.37% /localdisk, SysStatsUtilizationDiskSpace=11.15% /boot,
Here I am trying to extract the value without % and also the filesystem for it. I am using the MV_ADD , but it doesn't actually work. Do I need to define two stanzas for it to work? The reason why I am doing this is because I want it to be like disk_boot = 11.15 . Any ideas?
[disk_space]
REGEX = DiskSpace\=([^%]+)\%\s+\/([^,]*)\,
FORMAT = disk_$2::$1
MV_ADD = True
Unfortunately, you can't do concatentated fields in search-time extractions. I would recommend doing something like:
[disk_space]
REGEX = DiskSpace\=([^%]+)\%\s+(/[^,]*)\,
FORMAT = diskSpace::$1 filesystem::$2
(I modified the regex to include the leading / in the filesystem, that way you don't get null values for diskSpace)
This will give you events with the following:
diskSpace=17.58 filesystem="/"
diskSpace=11.25 filesystem="/storedconfig"
diskSpace=7.11 filesystem="/tmp"
etc