Splunk Search

Extract numeric value from CHKDSK event

dorgra
Path Finder

A schedule task on a Windows server runs a CHKDSK /SCAN on every logical drive. The resultant Message field looks like:

Chkdsk was executed in scan mode on a volume snapshot. Checking file system on I: The type of the file system is NTFS. Volume label is Drive_I. Stage 1: Examining basic file system structure ... 749312 file records processed. File verification completed. 6 large file records processed. 0 bad file records processed. Stage 2: Examining file name linkage ... 1032916 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. Stage 3: Examining security descriptors ... Security descriptor verification completed. 141803 data files processed. CHKDSK is verifying Usn Journal... 1202632 USN bytes processed. Usn Journal verification completed. Windows has scanned the file system and found no problems. No further action is required. 1541403647 KB total disk space. 219960128 KB in 491177 files. 1634880 KB in 141804 indexes. 0 KB in bad sectors. 820095 KB in use by the system. 65536 KB occupied by the log file. 1318988544 KB available on disk. 65536 bytes in each allocation unit. 24084431 total allocation units on disk. 20609196 allocation units available on disk. ---------------------------------------------------------------------- Stage 1: Examining basic file system structure ... Stage 2: Examining file name linkage ... Stage 3: Examining security descriptors ... Windows has scanned the file system and found no problems. No further action is required.
strong text

I need to extract the 1541403647 and 1318988544 values from this field. I've tried a number of rex commands without success.

index=indexname sourcetype="WinEventLog:Application" host=hostname "total disk space"
| rex field=Message ".* required. (?\d+) KB .*"

I could use some assistance please.

0 Karma
1 Solution

tiagofbmm
Influencer

Here seems to be your regex:

| rex field=_raw "\s(?<total_disk_space>\d+)\sKB total disk space.*\s(?<available_on_disk>\d+)\sKB available on disk"

Let me know

View solution in original post

0 Karma

dorgra
Path Finder

For some reason, it works when I split up the 2 values:
| rex field=_raw "\s(?\d+)\sKB total disk space"
| rex field=_raw "\s(?\d+)\sKB available on disk"

This is awesome. I was really close and can't see where my syntax error is. Thanks very much tiagofbmm.

0 Karma

dorgra
Path Finder

Shouldn't have mentioned this. Just remove the first \s and you get with AND without a space. Thanks again.

0 Karma

tiagofbmm
Influencer

Here seems to be your regex:

| rex field=_raw "\s(?<total_disk_space>\d+)\sKB total disk space.*\s(?<available_on_disk>\d+)\sKB available on disk"

Let me know

0 Karma

dorgra
Path Finder

I did find my error. Some of the instances for "total disk space" have a space to start and some don't. How do I get the value when there is NO space?

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...