Looking for some help with rex. The raw data looks like this,
value= Name : SiteScope.exe MemGB : 6568 Name : powershell_ise.exe MemGB : 153 Name : WmiPrvSE.exe MemGB : 146 Name : powershell_ise.exe MemGB : 143 Name : powershell.exe MemGB : 98 17496 Mon Aug 08 15:30:38 2016 stopping 17496 end perfex 31:19 0 3583 3583 Name : SiteScope.exe MemGB : 6568 Name : powershell_ise.exe MemGB : 153 Name : WmiPrvSE.exe MemGB : 146 Name : powershell_ise.exe MemGB : 143 Name : powershell.exe MemGB : 98 17496 Mon Aug 08 15:30:38 2016 stopping 17496 end perfex
I tried Name\s:\s+(?\w+.exe\s\w+\s+:\s\d+)
regex which works fine in regex tested, but Splunk is not extracting the fields. I want to use max_match=0 so that it picks all the process name and memory usage. If the rex works fine, it should show result like below,
SiteScope.exe MemGB : 6568
powershell.exe MemGB : 98
WmiPrvSE.exe MemGB : 146
Give this a try
your base search | rex max_match=0 "Name\s+:\s+(?<Process>\S+)\s+MemGB\s+:\s+(?<MemGB>\d+)" | table Process MemGB
Give this a try
your base search | rex max_match=0 "Name\s+:\s+(?<Process>\S+)\s+MemGB\s+:\s+(?<MemGB>\d+)" | table Process MemGB
That worked. Thank you very much.
What does your query look like?
It seems the thing you tried didn't have a name to assign the capture group to. Notice in the correct answer (below) that there's a <Process>
and <MemGB>
after the capture group starts.