Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with extract fields from the following WMIC log files?

rfellmann
New Member
‎11-13-2018 02:23 AM

I've got wmic logfiles which look like this:

Name Vendor Version

Java 8 Update 172 (64-bit) Oracle Corporation 8.0.1720.11
Java 8 Update 181 Oracle Corporation 8.0.1810.15

Java Auto Updater Oracle Corporation 2.8.172.11

alt text

  • Header is always the same
  • The logs can have more than one row (some have up to 5)
  • The actual data rows are always separated by two or more whitespaces

What's the proper way to extract these fields? I managed to extract the first row using the rex command — but then, all other rows are ignored. Using multiple piped rex would result in having multiple field names (Name1, Name2, Name3 etc) for each row.

| rex field=_raw "^(\w+\s+)+(?P\w+\s+\d+\s+\w+\s+\d+)\s+(?P\w+\s+\w+)\s+(?P[^ ]+)"

Thank you!

Preview file
4 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-13-2018 04:19 AM

One option would be to take a look at the multikv command, which is specifically designed for processing such data.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎11-13-2018 04:19 AM

One option would be to take a look at the multikv command, which is specifically designed for processing such data.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv

0 Karma
Reply
Solved! Jump to solution

rfellmann
New Member
‎11-13-2018 04:23 AM

Brilliant thank you - exactly what I was looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...