Extracting multiple values from a Field

nabeel652 — Thu, 28 Sep 2017 04:14:27 GMT

I have a field in Windows Backup Events named VolumesInfo
Sample:

<VolumeInfoItem Name="System" OriginalAccessPath="" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="54001664" NumUnreadableBytes="0" TotalSize="54001664" TotalNoOfFiles="0" Flags="554" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="C:" OriginalAccessPath="C:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="35564748800" NumUnreadableBytes="0" TotalSize="35564748800" TotalNoOfFiles="0" Flags="1576" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="D:" OriginalAccessPath="D:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="3730767872" NumUnreadableBytes="0" TotalSize="3730767872" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /></VolumeInfo>

This contains information about all the volumes backedup on a certain Computer. However I am struggling to extract all the multiple Volumes and related information like in the sample data there are three volumes "System", "C:" and "D:".

I have tried field extractions but it only returns the first one. makemv and mvexpand is also not helping. I need results in this format:

Compuer VolumeName  TotalSize   DataTransferred
Server1 System      1212             12
Server1 C:        7575            77
Server1 D:        7676            66
Server2 C:        767               7
    and So on…

Re: Extracting multiple values from a Field

inventsekar — Thu, 28 Sep 2017 04:36:16 GMT

the TotalSize 1212, 7575.. and DataTransferred are not there at the sample.
(on the sample - TotalSize="54001664", DataTransferred="54001664")

can you please update clearly how these details you found

Re: Extracting multiple values from a Field

nabeel652 — Thu, 28 Sep 2017 04:40:24 GMT

Yes, thats just for explaining. I was bit lazy not copying the actual values 🙂

Re: Extracting multiple values from a Field

DalJeanis — Thu, 28 Sep 2017 04:41:45 GMT

Try something like this...

| rex field=VolumeInfo "Name=\"(?<temp1>[^\"]+)"  max_match=0
| rex field=VolumeInfo "TotalSize=\"(?<temp2>[^\"]+)"  max_match=0
| rex field=VolumeInfo "DataTransferred=\"(?<temp3>[^\"]+)"  max_match=0
| eval mydata=mvzip(mvzip(temp1,temp2,"!!!!"),temp3,"!!!!")
| mvexpand mydata
| rex field=mydata "^(?<Name>.*?)!!!!(?<TotalSize>.*?)!!!!(?<DataTransferred>.*?)$"

topic Re: Extracting multiple values from a Field in Splunk Search

Extracting multiple values from a Field

Re: Extracting multiple values from a Field

Re: Extracting multiple values from a Field

Re: Extracting multiple values from a Field