<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Field Extraction in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291870#M55628</link>
    <description>&lt;P&gt;I am trying to extract a field but it is not working properly. I am able to extract single words but when spaces gets involved it fails. I am basically trying to extract all 4 tab keywords.&lt;/P&gt;

&lt;P&gt;Event Sample&lt;BR /&gt;
Description : Security Update&lt;BR /&gt;
HotFixID    : KB3212646&lt;BR /&gt;
InstalledBy : NT AUTHORITY\SYSTEM&lt;BR /&gt;
InstalledOn : 1/20/2017 12:00:00 AM&lt;/P&gt;

&lt;P&gt;Description : Update&lt;BR /&gt;
HotFixID    : KB2952664&lt;BR /&gt;
InstalledBy : NT AUTHORITY\SYSTEM&lt;BR /&gt;
InstalledOn : 2/17/2017 12:00:00 AM&lt;/P&gt;</description>
    <pubDate>Wed, 22 Mar 2017 22:44:37 GMT</pubDate>
    <dc:creator>afamoyib</dc:creator>
    <dc:date>2017-03-22T22:44:37Z</dc:date>
    <item>
      <title>Field Extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291870#M55628</link>
      <description>&lt;P&gt;I am trying to extract a field but it is not working properly. I am able to extract single words but when spaces gets involved it fails. I am basically trying to extract all 4 tab keywords.&lt;/P&gt;

&lt;P&gt;Event Sample&lt;BR /&gt;
Description : Security Update&lt;BR /&gt;
HotFixID    : KB3212646&lt;BR /&gt;
InstalledBy : NT AUTHORITY\SYSTEM&lt;BR /&gt;
InstalledOn : 1/20/2017 12:00:00 AM&lt;/P&gt;

&lt;P&gt;Description : Update&lt;BR /&gt;
HotFixID    : KB2952664&lt;BR /&gt;
InstalledBy : NT AUTHORITY\SYSTEM&lt;BR /&gt;
InstalledOn : 2/17/2017 12:00:00 AM&lt;/P&gt;</description>
      <pubDate>Wed, 22 Mar 2017 22:44:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291870#M55628</guid>
      <dc:creator>afamoyib</dc:creator>
      <dc:date>2017-03-22T22:44:37Z</dc:date>
    </item>
    <item>
      <title>Re: Field Extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291871#M55629</link>
      <description>&lt;P&gt;Where exactly are you doing this?  Is this an index-time extraction or a search-time extraction?  &lt;/P&gt;

&lt;P&gt;Are there CR/LFs in the _raw the way you have shown them, or are the events actually like this, or some other way ?  &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Description : Security Update HotFixID : KB3212646  InstalledBy : NT AUTHORITY\SYSTEM InstalledOn : 1/20/2017 12:00:00 AM
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Are these the only fields you need to extract, or are there other keywords than these four?&lt;/P&gt;</description>
      <pubDate>Wed, 22 Mar 2017 23:15:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291871#M55629</guid>
      <dc:creator>DalJeanis</dc:creator>
      <dc:date>2017-03-22T23:15:06Z</dc:date>
    </item>
    <item>
      <title>Re: Field Extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291872#M55630</link>
      <description>&lt;P&gt;I don't know if you want to try a different approach, but if you're looking for Windows info like patch levels, uptime, and so on you might try WMI inputs. I created a new app called "wmi" and deployed it to my windows hosts. It's no-frills and basically consists of a directory named wmi and a sub-directory named local. Then plop this down as inputs.conf after editing what index you want things to go to.  You can edit the wql = line to include whatever information that WMI class will output. &lt;/P&gt;

&lt;P&gt;It just works.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;# WMI FOR appdev INDEX
#replace the index = line with the correct index 
#place this file in C:\Program Files\SplunkUniversalForwarder\etc\apps\wmi\local as inputs.conf

[settings]
initial_backoff = 5
max_backoff = 20
max_retries_at_max_backoff = 0
checkpoint_sync_interval = 2

## Processes
[WMI:LocalProcesses]
interval = 120
wql = Select IDProcess,PrivateBytes,Name,PercentProcessorTime,TimeStamp_Sys100NS from Win32_PerfRawData_PerfProc_Process
index = idx_appdev
disabled = 0


## Scheduled Jobs

## Use the Win32_ScheduledJob  class. Note that this class can only return jobs that are created using either a script or AT.exe. 
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
[WMI:ScheduledJobs]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
index = idx_appdev

## Services

## &lt;A href="http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx" target="test_blank"&gt;http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx&lt;/A&gt;
## Lists all services registered on the system,if they are running,and the status
[WMI:Service]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
index = idx_appdev


## Update
[WMI:InstalledUpdates]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
index = idx_appdev


## Uptime
[WMI:Uptime]
disabled = 0
## Run once an hour
interval = 3600
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
index = idx_appdev

## index = idx_appdev


## Version
[WMI:Version]
disabled = 0
## Run once per day
interval = 86400
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
index = idx_appdev
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Then I built a little dashboard around it..&lt;span class="lia-inline-image-display-wrapper" image-alt="alt text"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/2678i2BAB5DE32638BEE4/image-size/large?v=v2&amp;amp;px=999" role="button" title="alt text" alt="alt text" /&gt;&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 23 Mar 2017 19:41:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291872#M55630</guid>
      <dc:creator>JDukeSplunk</dc:creator>
      <dc:date>2017-03-23T19:41:53Z</dc:date>
    </item>
    <item>
      <title>Re: Field Extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291873#M55631</link>
      <description>&lt;P&gt;I am trying to do index-time extraction. When i try to use to extract tool it extracts poorly.&lt;/P&gt;

&lt;P&gt;Description : Security Update&lt;BR /&gt;
HotFixID : KB3212646&lt;BR /&gt;
InstalledBy : NT AUTHORITY\SYSTEM&lt;BR /&gt;
InstalledOn : 1/20/2017 12:00:00 AM&lt;/P&gt;

&lt;P&gt;For example I am trying to extract the contents for description and make it a field and i am trying to extract installedby contents and make it another field. I used this regex pattern ^\w+\s+:\s+(?P\w+) but i was able to extract only one word.&lt;/P&gt;

&lt;P&gt;The tool appears to not be providing me the desired effect.&lt;/P&gt;</description>
      <pubDate>Thu, 23 Mar 2017 20:40:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291873#M55631</guid>
      <dc:creator>afamoyib</dc:creator>
      <dc:date>2017-03-23T20:40:53Z</dc:date>
    </item>
    <item>
      <title>Re: Field Extraction</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291874#M55632</link>
      <description>&lt;P&gt;This was completed by writing regex statement to break properly and extract them into new words.&lt;/P&gt;</description>
      <pubDate>Tue, 21 Nov 2017 21:39:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/291874#M55632</guid>
      <dc:creator>afamoyib</dc:creator>
      <dc:date>2017-11-21T21:39:43Z</dc:date>
    </item>
  </channel>
</rss>

