Splunk Search

Extract numeric value from CHKDSK event

dorgra
Path Finder

A schedule task on a Windows server runs a CHKDSK /SCAN on every logical drive. The resultant Message field looks like:

Chkdsk was executed in scan mode on a volume snapshot. Checking file system on I: The type of the file system is NTFS. Volume label is Drive_I. Stage 1: Examining basic file system structure ... 749312 file records processed. File verification completed. 6 large file records processed. 0 bad file records processed. Stage 2: Examining file name linkage ... 1032916 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. Stage 3: Examining security descriptors ... Security descriptor verification completed. 141803 data files processed. CHKDSK is verifying Usn Journal... 1202632 USN bytes processed. Usn Journal verification completed. Windows has scanned the file system and found no problems. No further action is required. 1541403647 KB total disk space. 219960128 KB in 491177 files. 1634880 KB in 141804 indexes. 0 KB in bad sectors. 820095 KB in use by the system. 65536 KB occupied by the log file. 1318988544 KB available on disk. 65536 bytes in each allocation unit. 24084431 total allocation units on disk. 20609196 allocation units available on disk. ---------------------------------------------------------------------- Stage 1: Examining basic file system structure ... Stage 2: Examining file name linkage ... Stage 3: Examining security descriptors ... Windows has scanned the file system and found no problems. No further action is required.
strong text

I need to extract the 1541403647 and 1318988544 values from this field. I've tried a number of rex commands without success.

index=indexname sourcetype="WinEventLog:Application" host=hostname "total disk space"
| rex field=Message ".* required. (?\d+) KB .*"

I could use some assistance please.

0 Karma
1 Solution

tiagofbmm
Influencer

Here seems to be your regex:

| rex field=_raw "\s(?<total_disk_space>\d+)\sKB total disk space.*\s(?<available_on_disk>\d+)\sKB available on disk"

Let me know

View solution in original post

0 Karma

dorgra
Path Finder

For some reason, it works when I split up the 2 values:
| rex field=_raw "\s(?\d+)\sKB total disk space"
| rex field=_raw "\s(?\d+)\sKB available on disk"

This is awesome. I was really close and can't see where my syntax error is. Thanks very much tiagofbmm.

0 Karma

dorgra
Path Finder

Shouldn't have mentioned this. Just remove the first \s and you get with AND without a space. Thanks again.

0 Karma

tiagofbmm
Influencer

Here seems to be your regex:

| rex field=_raw "\s(?<total_disk_space>\d+)\sKB total disk space.*\s(?<available_on_disk>\d+)\sKB available on disk"

Let me know

0 Karma

dorgra
Path Finder

I did find my error. Some of the instances for "total disk space" have a space to start and some don't. How do I get the value when there is NO space?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...