Getting Data In

Extract values for fields with the same name, but specifics come after value.

sanorthrup
Path Finder

I'm using splunk to search my Cisco ISE logs. There is an ISE app, which is great, but has a pretty significant problem. I'm having trouble working through this problem too though. When splunk reports on the value for SysStatsUtilizationDiskSpace, it takes the first instance, which in this example is 16% for the / mount point.

Jul 21 08:18:33 10.111.12.13 CISE_System_Statistics 0000090845 1 0 2017-07-21 08:18:33.863 -05:00 0004451032 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=12753, SysStatsUtilizationCpu=1.11%, SysStatsUtilizationNetwork=eth0: rcvd = 897585\; sent = 903414 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=8.14%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=16% /, SysStatsUtilizationDiskSpace=1% /tmp, SysStatsUtilizationDiskSpace=18% /opt, SysStatsUtilizationDiskSpace=24% /boot, SysStatsUtilizationDiskSpace=2% /storedconfig, AverageRadiusRequestLatency=42, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=25, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.26, SysStatsCpuCount=8, SysStatsProcessMemoryMB=24173, ActiveSessionCount=90,

Within this message it shows the disk space utilization for each mount point, but the mount point name comes after the value. I care specifically about /opt. Is there any way to gather data about the 3rd instance of SysStatsUtilizationDiskSpace or is it possible to show the values for all mount points somehow?

I tried extracting/naming a new field, but didn't have any luck. Any help would be much appreciated.

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can do it inline in the search like this (capture SysStatsUtilizationDiskSpace for /opt)

your base search 
| rex max_match=0 "SysStatsUtilizationDiskSpace\=(?<SysStatsUtilizationDiskSpace>\S+)\s\/opt,"

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You can do it inline in the search like this (capture SysStatsUtilizationDiskSpace for /opt)

your base search 
| rex max_match=0 "SysStatsUtilizationDiskSpace\=(?<SysStatsUtilizationDiskSpace>\S+)\s\/opt,"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...