A schedule task on a Windows server runs a CHKDSK /SCAN on every logical drive. The resultant Message field looks like:
Chkdsk was executed in scan mode on a volume snapshot. Checking file system on I: The type of the file system is NTFS. Volume label is Drive_I. Stage 1: Examining basic file system structure ... 749312 file records processed. File verification completed. 6 large file records processed. 0 bad file records processed. Stage 2: Examining file name linkage ... 1032916 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. Stage 3: Examining security descriptors ... Security descriptor verification completed. 141803 data files processed. CHKDSK is verifying Usn Journal... 1202632 USN bytes processed. Usn Journal verification completed. Windows has scanned the file system and found no problems. No further action is required. 1541403647 KB total disk space. 219960128 KB in 491177 files. 1634880 KB in 141804 indexes. 0 KB in bad sectors. 820095 KB in use by the system. 65536 KB occupied by the log file. 1318988544 KB available on disk. 65536 bytes in each allocation unit. 24084431 total allocation units on disk. 20609196 allocation units available on disk. ---------------------------------------------------------------------- Stage 1: Examining basic file system structure ... Stage 2: Examining file name linkage ... Stage 3: Examining security descriptors ... Windows has scanned the file system and found no problems. No further action is required.
strong text
I need to extract the 1541403647 and 1318988544 values from this field. I've tried a number of rex commands without success.
index=indexname sourcetype="WinEventLog:Application" host=hostname "total disk space"
| rex field=Message ".* required. (?\d+) KB .*"
I could use some assistance please.
Here seems to be your regex:
| rex field=_raw "\s(?<total_disk_space>\d+)\sKB total disk space.*\s(?<available_on_disk>\d+)\sKB available on disk"
Let me know
For some reason, it works when I split up the 2 values:
| rex field=_raw "\s(?\d+)\sKB total disk space"
| rex field=_raw "\s(?\d+)\sKB available on disk"
This is awesome. I was really close and can't see where my syntax error is. Thanks very much tiagofbmm.
Shouldn't have mentioned this. Just remove the first \s and you get with AND without a space. Thanks again.
Here seems to be your regex:
| rex field=_raw "\s(?<total_disk_space>\d+)\sKB total disk space.*\s(?<available_on_disk>\d+)\sKB available on disk"
Let me know
I did find my error. Some of the instances for "total disk space" have a space to start and some don't. How do I get the value when there is NO space?