I've got wmic logfiles which look like this:
Name Vendor Version
Java 8 Update 172 (64-bit) Oracle Corporation 8.0.1720.11
Java 8 Update 181 Oracle Corporation 8.0.1810.15
Java Auto Updater Oracle Corporation 2.8.172.11
What's the proper way to extract these fields? I managed to extract the first row using the rex command — but then, all other rows are ignored. Using multiple piped rex would result in having multiple field names (Name1, Name2, Name3 etc) for each row.
| rex field=_raw "^(\w+\s+)+(?P\w+\s+\d+\s+\w+\s+\d+)\s+(?P\w+\s+\w+)\s+(?P[^ ]+)"
Thank you!
One option would be to take a look at the multikv
command, which is specifically designed for processing such data.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv
One option would be to take a look at the multikv
command, which is specifically designed for processing such data.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multikv
Brilliant thank you - exactly what I was looking for.