I am getting this data when I am pulling events from a sourcetype
Name=Microsoft Hyper-V Network Adapter _2
Now I want to show this in a table, but when I am using --> table Name then it is showing only Microsoft i.e. only the first word is being shown.
How can I show the whole value of the name field?
Please help.
Try this....
| makeresults
| eval _raw= "BytesReceivedPersec=5057
BytesSentPersec=12654
BytesTotalPersec=17711
CurrentBandwidth=50000000000
Name=Microsoft Hyper-V Network Adapter _2
wmi_type=LocalNetwork"
| rex field=_raw "Name\=(?<Name>[\w\s\-\_]+)\s"
| table Name
Can you share a sample raw data?
BytesReceivedPersec=5057
BytesSentPersec=12654
BytesTotalPersec=17711
CurrentBandwidth=50000000000
Name=Microsoft Hyper-V Network Adapter _2
wmi_type=LocalNetwork