host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
VG Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA
UPDATED:
| makeresults
| eval _raw="host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
Test 1 Disk Test User
VG Disk only for VG group
VG 2 Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA"
| eval _raw=replace(_raw,"(?sm)Reconnecting.+$","")
| multikv forceheader=2
| table Sharename Type Comment
multikv
is useful.| makeresults
| eval _raw="host= xxx.xxx.xxx Fri 29 Nov 2019 12:35:09 PM EST
Sharename Type Comment
--------- ---- -------
Media Disk Public folder
music Disk System default shared folder
Test Disk Test User
photo Disk System default shared folder
VG Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
MEDIA"
| makemv delim="
" _raw
| eval start=mvfind(_raw,"--------- ---- -------"), end=mvfind(_raw,"Reconnecting")
| eval raw=mvindex(_raw,start+1,end-1)
| table raw
| mvexpand raw
| rex field=raw "(?<Sharename>.+?) (?<Type>.+?) (?<Comment>.+)"
Is multikv
required?
Thank you. How do we modify the rex to find fields with space . for example the sharename has a space.
`
Sharename Type Comment
Media Disk Public folder
music Disk System default shared folder
Test 1 Disk Test User
photo Disk System default shared folder
VG 2 Disk only for VG group
video Disk System default shared folder
web Disk System default shared folder
IPC$ IPC IPC Service ()`
please check regex101.com
I don't understand your sample sharename.
Using multikv, How to extract fields that have space in between.
For example
User Permissions
Test Name 1 read, write
Test Name 2 read, write
and so on.
if 1 space is the delimite, my multikv command extracts only Test as User and not "Test Name 1" or "Test Name 2"
what is the right way to make this happen during search time.