Hi @Robwhoa78 ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

{"Level":"INFO","Timestamp":"2024-10-23T11:15:30.2696398-06:00","Message":{"Hiberfile":"NonExist"},"FireWallStatus":{"DomainFireWall":"OFF","PrivateFireWall":"OFF","PublicFireWall":"OFF"},"TermInfo":{"Lane91":"InTermHandler","Lane50":"InTermHandler"},"Time":{"Timezone":"Mountain Standard Time","DaylightSavings":"True","LocalClock":"10/23/2024 11:15:24 AM","Status":{"LastSuccessfulSync":"10/23/2024 11:13:57 AM","LastSyncSource":"pool.ntp.org"},"Peers":{"TimeServer#1":"pool.ntp.org","TimeServer#2":"time.windows.com"}},"MarketingTimeStamp":{"MarketingTimeStamp":"2024-10-11T20:29:09.000"},"TaskInfo":{"AI Restart DAILY":{"ScheduledTaskState":"Enabled","StartTime":"1:30:00 AM","LastRunTime":"10/23/2024 1:30:01 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"AI Restart Weekly":{"ScheduledTaskState":"Enabled","StartTime":"4:30:00 AM","LastRunTime":"10/23/2024 4:30:00 AM","LastResult":"2","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"CarHop Backup":{"ScheduledTaskState":"Enabled","StartTime":"4:45:00 AM","LastRunTime":"10/23/2024 4:45:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"D Drive Temp Folder Clean Up":{"ScheduledTaskState":"Enabled","StartTime":"2:30:00 AM","LastRunTime":"10/23/2024 2:30:01 AM","LastResult":"1","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"LANDESK Agent Health":{"ScheduledTaskState":"Enabled","StartTime":"9:00:00 PM","LastRunTime":"10/22/2024 9:00:01 PM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineCore{5E85796F-9899-4CC1-B3A0-4D719B6B80C5}":{"ScheduledTaskState":"Enabled","StartTime":"11:48:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"MicrosoftEdgeUpdateTaskMachineUA{74A7D1C8-E2E1-498A-B5E2-2E132A3C29ED}":{"ScheduledTaskState":"Enabled","StartTime":"11:18:40 AM","LastRunTime":"11/30/1999 12:00:00 AM","LastResult":"267011","Author":"N/A","RunAsUser":"SYSTEM"},"PAYS Restart Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"PCDiskClean":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart DPC - Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Interceptor Daily":{"ScheduledTaskState":"Enabled","StartTime":"5:30:00 AM","LastRunTime":"10/23/2024 5:30:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart SIS After Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 4:11:19 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Restart Splunk":{"ScheduledTaskState":"Enabled","StartTime":"12:00:00 AM","LastRunTime":"10/23/2024 6:00:01 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"SISRestart":{"ScheduledTaskState":"Enabled","StartTime":"5:00:00 AM","LastRunTime":"10/23/2024 5:00:01 AM","LastResult":"-2147024894","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"System To FOH On Reboot":{"ScheduledTaskState":"Enabled","StartTime":"N/A","LastRunTime":"10/23/2024 11:12:27 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"69GB","FreeSpaceBytes":"73613537280","PercentFree":"47%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:","😧"],"AllVlmName":["Sonic","Micros"]},

Hi @Robwhoa78 ,

if you used INDEXED_EXTRACTIONS = JSON you shoudl have the value, otherwise, you could use the spath command.

As last choice, you could use rex:

| rex "\"Rogue\":\{\"AllDskID\":\[\"(?<AllDskID>[^\"]+)"

in instead you'r issue is that from the "Message.Rogue.AllDskID{}" field you have more that you want, you could try with:

| rex field=Message.Rogue.AllDskID{} "^\"(?<AllDskID>[^\"]+)"

Ciao.

Giuseppe

I need this to show the AllDskID which is C,D,E,F, or G.  Examples are below. 

"Rogue":{"AllDskID":["C:","D:","E","F"]

"Rogue":{"AllDskID":["C:","D:","F","G"]

"Rogue":{"AllDskID":["C:","D:"]

Hi @Robwhoa78 ,

in the sample you shared, there's only one value "C:", not also the others, could you share a sample with all the values to extract?

highlighting in bold the values to extract?

Ciao.

Giuseppe

"Weekly Reboot":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/23/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly Reboot -Optional":{"ScheduledTaskState":"Enabled","StartTime":"4:00:00 AM","LastRunTime":"10/22/2024 4:00:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Weekly reboot-POPS stalls":{"ScheduledTaskState":"Enabled","StartTime":"3:45:00 AM","LastRunTime":"10/23/2024 3:45:00 AM","LastResult":"0","Author":"SonicConfigurationTeam","RunAsUser":"SYSTEM"},"Workstation Audit Logs":{"ScheduledTaskState":"Enabled","StartTime":"12:05:00 AM","LastRunTime":"10/23/2024 12:05:01 AM","LastResult":"0","Author":"BrandDevOpsTeam","RunAsUser":"SYSTEM"}},"FilesInLoad":{},"Cdrive":{"DriveName":"Sonic","TotalFriendlySize":"146GB","TotalSizeBytes":"157286395904","FriendlyFreeSpace":"64GB","FreeSpaceBytes":"69178445824","PercentFree":"44%","ChkDskNeeded":"NotAvailable"},"Rogue":{"AllDskID":["C:","😧","F:","G:"],"AllVlmName":["Sonic","Micros","Sonic","Micros"]},"Stall":{"12":"GENERIC","16":"GENERIC","10":"POPS4","06":"POPS4","26":"GENERIC","100":"POPS4","11":"POPS4","07":"GENERIC","05":"POPS4","32":"GENERIC","94":"DriveThru","02":"POPS4","04":"POPS4","08":"POPS4","25":"GENERIC","56":"GENERIC","09":"POPS4","01":"POPS4","03":"POPS4"},"ErrorPCG":"No recent PCG Install errors detected","Ddrive":{"DriveName":"Micros","TotalFriendlySize":"91GB","TotalSizeBytes":"98123640832","FriendlyFreeSpace":"33GB","FreeSpaceBytes":"35223568384","PercentFree":"36%","ChkDskNeeded":"NotAvailable"},"RAIDinfo":{"DriverVersion":"15.9.0.1015","ToolVersion":"15.9.0.1015"},"RAIDtest":{"SystemType":"UnableToQuery","RAIDstatus":"UnableToQuery","ErrorMessage":"Provider failure "},"VigilixRegistry":"VigilixRegistryCorrect"}}