Hello
Good Day!
I have the events in the raw data where i want to extract the drive information into few field and convert into gb
event1:C:\Windows\system FreeSpace DeviceID FreeSpace
C: 36247773184
😧 96900616192
E: 26285309952
event2:C:\Windows\system DeviceID FreeSpace
C: 36247773184
😧 96900616192
event3:C:\Windows\system DeviceID FreeSpace
C: 36247773184
event4:C: 36247773184
😧 96900616192
E: 26285309952
My Query:
index=A
|rex "(?<Drive>\S+:\s+\d+)"
|stats values(Drive) by host _raw
My output:
Host | _raw | Drive |
A1 |
C:\Windows\system FreeSpace DeviceID FreeSpace 😧 96900616192 E: 26285309952 |
C: 36247773184 |
A2 |
C:\Windows\system FreeSpace DeviceID FreeSpace 😧 96900616192
|
C: 36247773184 |
I am getting only first values .But i want to get a the values from the raw event and want to convert the digital value into gb
Please help me on that
Thank you
Veeru
"Happy Splunking"
|rex max_match=0 "(?<Drive>\S+):\s+(?<size>\d+)"
You can match multiple times with max_match option for the rex command.
| rex max_match=0 "(?<Drive>..."