- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this message field that I need to extract the value from the brackets. The values are C,D,E,F,G
Message.Rogue.AllDskID{} how would I use REX to do this? Or would I need to use the eval command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I was over think it. I was able to get what I needed with this.
index=store source="softwareinventory" host="SNC****"
| dedup host
| rex field=host "(SNC|POPS)(?<Store>\d+)"
| search "Message.Rogue.AllDskID{}"="E:" OR "Message.Rogue.AllDskID{}"="F:" OR "Message.Rogue.AllDskID{}"="G:"
| rename Message.Rogue.AllDskID{} as Drive_Letter
| rename Message.Rogue.AllVlmName{} as Volume_Name
| table Store Drive_Letter Volume_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I was over think it. I was able to get what I needed with this.
index=store source="softwareinventory" host="SNC****"
| dedup host
| rex field=host "(SNC|POPS)(?<Store>\d+)"
| search "Message.Rogue.AllDskID{}"="E:" OR "Message.Rogue.AllDskID{}"="F:" OR "Message.Rogue.AllDskID{}"="G:"
| rename Message.Rogue.AllDskID{} as Drive_Letter
| rename Message.Rogue.AllVlmName{} as Volume_Name
| table Store Drive_Letter Volume_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Robwhoa78 ,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":{"Lane91":"InTermHandler","Lane50":"InTermHandler"},"Time":{"Timezone":"Mountain Standard Time","DaylightSavings":"True","LocalClock":"10/23/2024 11:15:24 AM","Status":{"LastSuccessfulSync":"10/23/2024 11:13:57 AM","LastSyncSource":"pool.ntp.org"},"Peers":{"TimeServer#1":"pool.ntp.org","TimeServer#2":"time.windows.com"}},"MarketingTimeStamp":{"MarketingTimeStamp":"2024-10-11T20:29:09.000"},"TaskInfo":{"AI Restart DAILY":{"ScheduledTaskState":"Enabled","StartTime":"1:30:00 AM","LastRunTime":"10/23/2024 1:30:01 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"AI Restart Weekly":{"ScheduledTaskState":"Enabled","StartTime":"4:30:00 AM","LastRunTime":"10/23/2024 4:30:00 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"CarHop Backup":{"ScheduledTaskState":"Enabled","StartTime":"4:45:00 AM","LastRunTime":"10/23/2024 4:45:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"D Drive Temp Folder Clean Up":{"ScheduledTaskState":"Enabled","StartTime":"2:30:00 AM","LastRunTime":"10/23/2024 2:30:01 AM","LastResult":"1","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"LANDESK Agent Health":{"ScheduledTaskState":"Enabled","StartTime":"9:00:00 PM","LastRunTime":"10/22/2024 9:00:01 PM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineCore{5E85796F-9899-4CC1-B3A0-4D719B6B80C5}":{"ScheduledTaskState":"Enabled","StartTime":"11:48:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineUA{74A7D1C8-E2E1-498A-B5E2-2E132A3C29ED}":{"ScheduledTaskState":"Enabled","StartTime":"11:18:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"PAYS Restart Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"PCDiskClean":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart DPC - Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Interceptor Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart SIS After Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 4:11:19 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Splunk":{"ScheduledTaskState":"Enabled","StartTime":"12:00:00 AM","LastRunTime":"10/23/2024 6:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"SISRestart":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"-2147024894","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"System To FOH On Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 11:12:27 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"69GB","FreeSpaceBytes":"73613537280","PercentFree":"47%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:","😧"],"AllVlmName":["Sonic","Micros"]},
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Robwhoa78 ,
if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command.
As last choice, you could use rex:
| rex "\"Rogue\":\{\"AllDskID\":\[\"(?<AllDskID>[^\"]+)"in instead you'r issue is that from the "Message.Rogue.AllDskID{}" field you have more that you want, you could try with:
| rex field=Message.Rogue.AllDskID{} "^\"(?<AllDskID>[^\"]+)"Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need this to show the AllDskID which is C,D,E,F, or G. Examples are below.
"Rogue":{"AllDskID":["C:","D:","E","F"]
"Rogue":{"AllDskID":["C:","D:","F","G"]
"Rogue":{"AllDskID":["C:","D:"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Robwhoa78 ,
in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract?
highlighting in bold the values to extract?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"64GB","FreeSpaceBytes":"69178445824","PercentFree":"44%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:","😧","F:","G:"],"AllVlmName":["Sonic","Micros","Sonic","Micros"]},"Stall":{"12":"GENERIC","16":"GENERIC","10":"POPS4","06":"POPS4","26":"GENERIC","100":"POPS4","11":"POPS4","07":"GENERIC","05":"POPS4","32":"GENERIC","94":"DriveThru","02":"POPS4","04":"POPS4","08":"POPS4","25":"GENERIC","56":"GENERIC","09":"POPS4","01":"POPS4","03":"POPS4"},"ErrorPCG":"No recent PCG Install errors detected","Ddrive":{"DriveName":"Micros","TotalFriendlySize":"91GB","TotalSizeBytes":"98123640832","FriendlyFreeSpace":"33GB","FreeSpaceBytes":"35223568384","PercentFree":"36%","ChkDskNeeded":"NotAvailable"},"RAIDinfo":{"DriverVersion":"15.9.0.1015","ToolVersion":"15.9.0.1015"},"RAIDtest":{"SystemType":"UnableToQuery","RAIDstatus":"UnableToQuery","ErrorMessage":"Provider failure "},"VigilixRegistry":"VigilixRegistryCorrect"}}
