I currently logged the following data
Description=Windows Support Tools
InstallDate=20120126
InstallDate2=NULL
Name=Windows Support Tools
Version=5.2.3790.3959
wmi_type=InstalledSoftware
However the problem I have when evaluating the data is the Name field will only show the first word of the string "Windows" instead of "Windows Support Tools", is there any way to get this field to show as a single value?
Currently I am running the query
sourcetype="WMI:InstalledSoftware" | table host Name Version Description
And it returns this
host Name Version Description
1 PAVFEX01 Windows 5.2.3790.3959 Windows
2 PAVFEX01 Microsoft 4.1.10329.0 Microsoft
3 PAVFEX01 Microsoft 9.0.30729.4148 Microsoft
4 PAVFEX01 Microsoft 3.3.11314.470 Microsoft
5 PAVFEX01 Microsoft 3.4.2350.0 Microsoft
6 PAVFEX01 VMware 8.6.5.11214 VMware
7 PAVFEX01 Microsoft 14.1.218.15 Microsoft
8 PAVFEX01 Microsoft 3.3.4604.001 Microsoft
9 PAVFEX01 Microsoft 8.1.6416.0 Microsoft
10 PAVFEX01 Microsoft 14.2.247.0 Microsoft
Add the following to props.conf - if you don't already have a props.conf, you could put it in $SPLUNK_HOME\etc\system\local
[WMI:InstalledSoftware]
EXTRACT-e1=Description.(?<Description>.*?)[\r\n]
EXTRACT-e2= Name.(?<Name>.*?)[\r\n]
This overrides Splunk's default field extraction, which it uses whenever it finds "name=value" in an event. This regex says "take all the characters up to the next carriage return or newline and assign them to the field".
If this doesn't work, just comment and I will try to refine the regex.
(Updated: Thanks Kristian - don't know how the spaces got in there! And definite typo on the EXTRACT-e2, I must have been tired...)
Thanks for your response lguinn. I added this to my existing props.conf file and restarted the forwarder on the server in question, sadly it didn't seem to make a difference.
These extractions are done at search-time and as such shouldn't go on the forwarder, they should go on the Splunk instance you're searching on.
Add the following to props.conf - if you don't already have a props.conf, you could put it in $SPLUNK_HOME\etc\system\local
[WMI:InstalledSoftware]
EXTRACT-e1=Description.(?<Description>.*?)[\r\n]
EXTRACT-e2= Name.(?<Name>.*?)[\r\n]
This overrides Splunk's default field extraction, which it uses whenever it finds "name=value" in an event. This regex says "take all the characters up to the next carriage return or newline and assign them to the field".
If this doesn't work, just comment and I will try to refine the regex.
(Updated: Thanks Kristian - don't know how the spaces got in there! And definite typo on the EXTRACT-e2, I must have been tired...)
Is it possible to set these values when using the Java splunk API? I am using the export service to read splunk. I tried changing my pairdelim values using
| extract pairdelim=";" |
but it didnt work 😞
Thank you everyone, after updating the props.conf on the proper machine it worked perfectly
Two things/questions;
Shouldn't the EXTRACT-name be unique, i.e. e1, e2 etc?
Is it OK to have spaces inside the angle brackets, e.g. (?
vs. (?< Description >.*?)
And YES, Ayn is right, it's not the forwarder that needs updating.
/k
Thanks for your response lguinn. I added this to my existing props.conf file and restarted the forwarder on the server in question, sadly it didn't seem to make a difference.