How do you extract all values for respective field...

twh1 · ‎09-11-2018

I have below event in my log which is output of a single command.

TIMESTAMP=2018-09-11T06:47:56|HOSTNAME=a9tvdb152|Cluster_Resources=CRS_Cluster_resources
NAME=ora.ASMNET1LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE             , ONLINE             , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.ASMNET2LSNR_ASM.lsnr
TYPE=ora.asm_listener.type
TARGET=ONLINE             , ONLINE             , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
NAME=ora.DATA1_DG.dg
TYPE=ora.diskgroup.type
TARGET=ONLINE             , ONLINE             , ONLINE
STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153

I am getting below fields in this event but with only first values not rest.

TIMESTAMP
NAME
TYPE
TARGET
STATE

I need all value occurrence in respective field.

mayurr98 · ‎09-11-2018

can you try this?

| makeresults 
 | eval data="TIMESTAMP=2018-09-11T06:47:56|HOSTNAME=a9tvdb152|Cluster_Resources=CRS_Cluster_resources
 NAME=ora.ASMNET1LSNR_ASM.lsnr
 TYPE=ora.asm_listener.type
 TARGET=ONLINE             , ONLINE             , ONLINE
 STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
 NAME=ora.ASMNET2LSNR_ASM.lsnr
 TYPE=ora.asm_listener.type
 TARGET=ONLINE             , ONLINE             , ONLINE
 STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153
 NAME=ora.DATA1_DG.dg
 TYPE=ora.diskgroup.type
 TARGET=ONLINE             , ONLINE             , ONLINE
 STATE=ONLINE on a9tvdb151, ONLINE on a9tvdb152, ONLINE on a9tvdb153" | rex field=data max_match=0 "NAME\=(?<NAME>.*)\s*TYPE\=(?<Type>.*)\s*TARGET\=(?<TARGET>.*)\s*STATE\=(?<STATE>.*)"

twh1 · ‎09-11-2018

HI @mayurr98 ,

I tried above option and got the result in tablular format. But all data is displayed as single event. Not as multiple row.

Sukisen1981 · ‎09-11-2018

are you using regex to extract the values?

twh1 · ‎09-12-2018

@Sukisen1981
As I mentioned, event is output of single command. I am not using regex. I need to extract the field run time.

How do you extract all values for respective fields from multi line event?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!