Archive

From the windows smbclient command output, I am able to extract events in the below format , I am not able to use multikv to extract fields

Explorer

host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
VG Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

UPDATED:

| makeresults 
| eval _raw="host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
 Sharename Type Comment
 --------- ---- -------
 Media     Disk Public folder
 music     Disk System default shared folder
 Test      Disk Test User
 photo     Disk System default shared folder
 Test 1    Disk Test User 
 VG        Disk only for VG group
 VG 2      Disk only for VG group 
 video     Disk System default shared folder
 web       Disk System default shared folder
 IPC$      IPC  IPC Service ()

 Reconnecting with SMB1 for workgroup listing.
 Server Comment
 --------- -------
 Workgroup Master
 --------- -------
 MEDIA"
 | eval _raw=replace(_raw,"(?sm)Reconnecting.+$","")
 | multikv forceheader=2
 | table Sharename Type Comment

I'm sorry, multikv is useful.

| makeresults 
| eval _raw="host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
VG Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA"
| makemv delim="
" _raw
| eval start=mvfind(_raw,"--------- ---- -------"), end=mvfind(_raw,"Reconnecting")
| eval raw=mvindex(_raw,start+1,end-1)
| table raw
| mvexpand raw
| rex field=raw "(?<Sharename>.+?) (?<Type>.+?) (?<Comment>.+)"

Is multikv required?

0 Karma

Explorer

Thank you. How do we modify the rex to find fields with space . for example the sharename has a space.
`
Sharename Type Comment


Media Disk Public folder
music Disk System default shared folder
Test 1 Disk Test User
photo Disk System default shared folder
VG 2 Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()`

0 Karma

SplunkTrust
SplunkTrust

please check regex101.com

I don't understand your sample sharename.

0 Karma

Explorer

Using multikv, How to extract fields that have space in between.
For example
User Permissions


Test Name 1 read, write
Test Name 2 read, write

and so on.
if 1 space is the delimite, my multikv command extracts only Test as User and not "Test Name 1" or "Test Name 2"

what is the right way to make this happen during search time.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!