Solved: Field with single value but value has spaces

ghs_bcarroll · ‎05-31-2012

I currently logged the following data

Description=Windows Support Tools
InstallDate=20120126
InstallDate2=NULL
Name=Windows Support Tools
Version=5.2.3790.3959
wmi_type=InstalledSoftware

However the problem I have when evaluating the data is the Name field will only show the first word of the string "Windows" instead of "Windows Support Tools", is there any way to get this field to show as a single value?

Currently I am running the query

sourcetype="WMI:InstalledSoftware" | table host Name Version Description

And it returns this

host    Name    Version     Description
1   PAVFEX01    Windows 5.2.3790.3959   Windows
2   PAVFEX01    Microsoft   4.1.10329.0 Microsoft
3   PAVFEX01    Microsoft   9.0.30729.4148  Microsoft
4   PAVFEX01    Microsoft   3.3.11314.470   Microsoft
5   PAVFEX01    Microsoft   3.4.2350.0  Microsoft
6   PAVFEX01    VMware  8.6.5.11214 VMware
7   PAVFEX01    Microsoft   14.1.218.15 Microsoft
8   PAVFEX01    Microsoft   3.3.4604.001    Microsoft
9   PAVFEX01    Microsoft   8.1.6416.0  Microsoft
10  PAVFEX01    Microsoft   14.2.247.0  Microsoft

lguinn2 · ‎05-31-2012

Add the following to props.conf - if you don't already have a props.conf, you could put it in $SPLUNK_HOME\etc\system\local

[WMI:InstalledSoftware]
EXTRACT-e1=Description.(?<Description>.*?)[\r\n] 
EXTRACT-e2= Name.(?<Name>.*?)[\r\n]

This overrides Splunk's default field extraction, which it uses whenever it finds "name=value" in an event. This regex says "take all the characters up to the next carriage return or newline and assign them to the field".

If this doesn't work, just comment and I will try to refine the regex.

(Updated: Thanks Kristian - don't know how the spaces got in there! And definite typo on the EXTRACT-e2, I must have been tired...)

View solution in original post

ghs_bcarroll · ‎06-04-2012

Thanks for your response lguinn. I added this to my existing props.conf file and restarted the forwarder on the server in question, sadly it didn't seem to make a difference.

Ayn · ‎06-04-2012

These extractions are done at search-time and as such shouldn't go on the forwarder, they should go on the Splunk instance you're searching on.

lguinn2 · ‎05-31-2012

Add the following to props.conf - if you don't already have a props.conf, you could put it in $SPLUNK_HOME\etc\system\local

[WMI:InstalledSoftware]
EXTRACT-e1=Description.(?<Description>.*?)[\r\n] 
EXTRACT-e2= Name.(?<Name>.*?)[\r\n]

This overrides Splunk's default field extraction, which it uses whenever it finds "name=value" in an event. This regex says "take all the characters up to the next carriage return or newline and assign them to the field".

If this doesn't work, just comment and I will try to refine the regex.

(Updated: Thanks Kristian - don't know how the spaces got in there! And definite typo on the EXTRACT-e2, I must have been tired...)

mako1 · ‎06-18-2013

Is it possible to set these values when using the Java splunk API? I am using the export service to read splunk. I tried changing my pairdelim values using
| extract pairdelim=";" |

but it didnt work 😞

ghs_bcarroll · ‎06-05-2012

Thank you everyone, after updating the props.conf on the proper machine it worked perfectly

kristian_kolb · ‎06-04-2012

Two things/questions;
Shouldn't the EXTRACT-name be unique, i.e. e1, e2 etc?
Is it OK to have spaces inside the angle brackets, e.g. (?.*?) vs. (?< Description >.*?)

And YES, Ayn is right, it's not the forwarder that needs updating.

/k

ghs_bcarroll · ‎06-04-2012

Thanks for your response lguinn. I added this to my existing props.conf file and restarted the forwarder on the server in question, sadly it didn't seem to make a difference.

Field with single value but value has spaces

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms