I am experimenting with events that generate data in a tabular manner and I want to create a historical graph of data from events with multivalue fields. As a test, I am logging the output of "df -hP" as a single event every few hours. The output looks like:
/dev/mapper/vg_1-lv_home 59G 52M 56G 1% /home
/dev/sda1 477M 40M 412M 9% /boot
tmpfs 24G 0 24G 0% /dev/shm
<...>
I want to be able to extract all the fields per row by simply matching one field (the first, which equals 'device'). I know that you can do the following search:
source="df -Ph"
| eval var1=mvindex(device, 0)
| eval ...
...
| table var1, ...
But this approach involves already knowing the order of the output to know which device you're selecting, which will not always be the case.
Is there a way to do what I'm trying to do?
NOTE:
I have already set up props/transforms to do multivalue search-time extraction. What I'm trying to do now is "extract" or output only the rows that match a search for the device name (first column).
Example (pseudocode):
if (device == /dev/sda1)
then
get device.row
print all fields in device.row
fi
Use mvexpand on the field you are searching against, and pipe your results to search for a specific value. (Note: you can only use mvexpand on a single field, but this should resolve it for you).
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Mvexpand
@ricotries if we do not know the sequence, we would have to know the pattern to use Regular Expression. Please add more details with sample values (mock up any sensitive information before posting on Splunk Answers) for the community to assist you better.