Grettings,
I have disk usage logs, these logs can have information of one or many disk, I am insterested in the "percent full"
ex:
Disk/[C]/percent full=71.63, Disk/[C]/MB free=11591, Disk/[C]/MB total=40857, Disk/[E]/percent full=26.699, Disk/[E]/MB free=23493, Disk/[E]/MB total=52256
A simple grok will get me the fields that I want:
Disk/\[%{DATA:disk}\]/percent full=%{NUMBER:percent},.*Disk/\[%{DATA:disk2}\]/percent full=%{NUMBER:percent2}
but the quantity of disks is variable, in the next log example I got three disks:
Disk/[C]/percent full=71.63, Disk/[C]/MB free=11591, Disk/[C]/MB total=40857, Disk/[E]/percent full=26.699, Disk/[E]/MB free=23493, Disk/[E]/MB total=52256
Disk/[F]/percent full=46.49, Disk/[F]/MB free=93342, Disk/[F]/MB total=435256
and in some logs I have 12 disk.
The first thing thats comes to mind is using multiple groks, but here must be another way.
what will be the best way to handle this types of logs?