Need help with a rex extraction

theouhuios · ‎09-05-2013

Hello

I have a string like this

a SysStatsUtilizationDiskSpace=17.60% /, SysStatsUtilizationDiskSpace=11.25% /storedconfig, SysStatsUtilizationDiskSpace=7.15% /tmp,

I need to extract the value and also the filesystem. I am able to extract for the first one and as you can see the format is repetitive. How do I make this \s+\S+\=(?P<SysStatsUtilizationDiskSpace1>\S+)\%\s+(?P<filesystem1>\S+)\, repetitive so that I dont need to write it again and again.

Any help please

Thanks

lguinn2 · ‎09-05-2013

I think the best way would be to create field extractions in props.conf and transforms.conf

In props.conf

[yoursourcetypehere]
TRANSFORMS-e1=extract_fields_1, extract_fields_2

In transforms.conf

[extract_fields_1]
REGEX = SysStatsUtilizationDiskSpace\s*=\s*\S+%\s*(\S+)
FORMAT = filesystem::$1
MV_ADD = true

# you may already have the field extractions for SysStatsUtilizationDiskSpace, but if not, this will create it
[extract_fields_2]
REGEX = SysStatsUtilizationDiskSpace\s*=\s*(\S+)%
FORMAT = SysStatsUtilizationDiskSpace::$1
MV_ADD = true

This will give you multi-valued fields, rather than fields named filesystem1, filesystem2, etc. It also requires that you do nothing in your search command. To see if it works, run this search

sourcetype=yoursourcetype | table SysStatsUtilizationDiskSpace filesystem

Need help with a rex extraction

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...