Solved: How to create rex for multiple fields?

Veeru · ‎06-05-2022

Hello
Good Day!
I have the events in the raw data where i want to extract the drive information into few field and convert into gb

event1:C:\Windows\system FreeSpace DeviceID FreeSpace
C: 36247773184

😧 96900616192

E: 26285309952

event2:C:\Windows\system DeviceID FreeSpace
C: 36247773184

😧 96900616192

event3:C:\Windows\system DeviceID FreeSpace
C: 36247773184

event4:C: 36247773184

😧 96900616192

E: 26285309952

My Query:
index=A
|rex "(?<Drive>\S+:\s+\d+)"
|stats values(Drive) by host _raw

My output:

Host

_raw

Drive

A1

C:\Windows\system FreeSpace DeviceID FreeSpace
C: 36247773184

😧 96900616192

E: 26285309952

C: 36247773184

A2

C:\Windows\system FreeSpace DeviceID FreeSpace
C: 36247773184

😧 96900616192

C: 36247773184

I am getting only first values .But i want to get a the values from the raw event and want to convert the digital value into gb
Please help me on that

Thank you
Veeru

"Happy Splunking"

ITWhisperer · ‎06-05-2022

|rex max_match=0 "(?<Drive>\S+):\s+(?<size>\d+)"

View solution in original post

ITWhisperer · ‎06-05-2022

|rex max_match=0 "(?<Drive>\S+):\s+(?<size>\d+)"

PickleRick · ‎06-05-2022

You can match multiple times with max_match option for the rex command.

| rex max_match=0 "(?<Drive>..."

Roy_9 · ‎06-05-2022

Hello @Veeru

Can you try as following:
| eval GB=round(b/1024/1024/1024, 3)

Thanks

How to create rex for multiple fields?

regex

rex

stats

table

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to create rex for multiple fields?

regex

rex

stats

table

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...