Knowledge Management

From the windows smbclient command output, I am able to extract events in the below format , I am not able to use multikv to extract fields

suser2019
Explorer

host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
VG Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA

Tags (1)
0 Karma

to4kawa
Ultra Champion

UPDATED:

| makeresults 
| eval _raw="host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
 Sharename Type Comment
 --------- ---- -------
 Media     Disk Public folder
 music     Disk System default shared folder
 Test      Disk Test User
 photo     Disk System default shared folder
 Test 1    Disk Test User 
 VG        Disk only for VG group
 VG 2      Disk only for VG group 
 video     Disk System default shared folder
 web       Disk System default shared folder
 IPC$      IPC  IPC Service ()

 Reconnecting with SMB1 for workgroup listing.
 Server Comment
 --------- -------
 Workgroup Master
 --------- -------
 MEDIA"
 | eval _raw=replace(_raw,"(?sm)Reconnecting.+$","")
 | multikv forceheader=2
 | table Sharename Type Comment

I'm sorry, multikv is useful.

| makeresults 
| eval _raw="host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
VG Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA"
| makemv delim="
" _raw
| eval start=mvfind(_raw,"--------- ---- -------"), end=mvfind(_raw,"Reconnecting")
| eval raw=mvindex(_raw,start+1,end-1)
| table raw
| mvexpand raw
| rex field=raw "(?<Sharename>.+?) (?<Type>.+?) (?<Comment>.+)"

Is multikv required?

0 Karma

suser2019
Explorer

Thank you. How do we modify the rex to find fields with space . for example the sharename has a space.
`
Sharename Type Comment


Media Disk Public folder
music Disk System default shared folder
Test 1 Disk Test User
photo Disk System default shared folder
VG 2 Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()`

0 Karma

to4kawa
Ultra Champion

please check regex101.com

I don't understand your sample sharename.

0 Karma

suser2019
Explorer

Using multikv, How to extract fields that have space in between.
For example
User Permissions


Test Name 1 read, write
Test Name 2 read, write

and so on.
if 1 space is the delimite, my multikv command extracts only Test as User and not "Test Name 1" or "Test Name 2"

what is the right way to make this happen during search time.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...