Archive

How can I extract multiple fields and values from the following raw information?

Explorer

I have raw information as follows: Two times Kaspersky output within one 'section'

------------------------------------------------------------ snip of one section --------------------------------------------------------------------

08/11/2018
07:43:58.000

kaspersky output:
Scanned objects : 19
Total detected objects : 0
Infected and other objects : 0
Disinfected objects : 0
Moved to backup : 0
Removed objects : 0
Not disinfected objects : 0
Scan errors : 0
Corrupted objects : 0
Password protected objects : 0
Skipped : 0

Between the above/below output are many lines with all kind of information that is not really relevant

kaspersky output:
Scanned objects : 1
Total detected objects : 0
Infected and other objects : 0
Disinfected objects : 0
Moved to backup : 0
Removed objects : 0
Not disinfected objects : 0
Scan errors : 0
Corrupted objects : 0
Password protected objects : 0
Skipped : 0

And then there are many lines in the bottom that is not really relevant as well

------------------------------------------------------------ snip of one section --------------------------------------------------------------------

Target is to have e.g. a time table with the values of each line, e.g. field value would be e.g. "Scanned objects" and its value would be 19 and 1 (in this case) -- and then similar approach for all the other lines --

I tried to extract the fields using the Regular Expression, but it seems it does not select every value (of e.g. Scanned objects), meaning I have blanks in the output itself

Please advise how to actually get this done

0 Karma
1 Solution

Super Champion

Hi @edwinmae,
try kv extraction below-

....|kv  mv_add=true pairdelim="\r\n",kvdelim=":"

It will separate key value pair

View solution in original post

0 Karma

Super Champion

Hi @edwinmae,
try kv extraction below-

....|kv  mv_add=true pairdelim="\r\n",kvdelim=":"

It will separate key value pair

View solution in original post

0 Karma

Explorer

That actually seems to work

There are still blanks in the output which is likely caused by the raw data within the same 'section' that contains e.g. s3://xxxx or https:// , so these are also seen as 'pairs' ...

Is there a way exclude them from the output?

Now they have no value

0 Karma

Super Champion

you can remove fields using

|fields - <fieldname>
0 Karma