I have a field in Windows Backup Events named VolumesInfo
Sample:
<VolumeInfoItem Name="System" OriginalAccessPath="" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="54001664" NumUnreadableBytes="0" TotalSize="54001664" TotalNoOfFiles="0" Flags="554" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="C:" OriginalAccessPath="C:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="1" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="1" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="35564748800" NumUnreadableBytes="0" TotalSize="35564748800" TotalNoOfFiles="0" Flags="1576" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /><VolumeInfoItem Name="D:" OriginalAccessPath="D:" State="14" HResult="0" DetailedHResult="0" PreviousState="9" IsCritical="0" IsIncremental="0" BlockLevel="1" HasFiles="0" HasSystemState="0" IsCompacted="0" IsPruned="0" IsRecreateVhd="0" FullBackupReason="0" DataTransferred="3730767872" NumUnreadableBytes="0" TotalSize="3730767872" TotalNoOfFiles="0" Flags="8" BackupTypeDetermined="1" SSBTotalNoOfFiles="0" SSBTotalSizeOnDisk="0" /></VolumeInfo>
This contains information about all the volumes backedup on a certain Computer. However I am struggling to extract all the multiple Volumes and related information like in the sample data there are three volumes "System", "C:" and "D:".
I have tried field extractions but it only returns the first one. makemv and mvexpand is also not helping. I need results in this format:
Compuer VolumeName TotalSize DataTransferred
Server1 System 1212 12
Server1 C: 7575 77
Server1 😧 7676 66
Server2 C: 767 7
and So on…
Try something like this...
| rex field=VolumeInfo "Name=\"(?<temp1>[^\"]+)" max_match=0
| rex field=VolumeInfo "TotalSize=\"(?<temp2>[^\"]+)" max_match=0
| rex field=VolumeInfo "DataTransferred=\"(?<temp3>[^\"]+)" max_match=0
| eval mydata=mvzip(mvzip(temp1,temp2,"!!!!"),temp3,"!!!!")
| mvexpand mydata
| rex field=mydata "^(?<Name>.*?)!!!!(?<TotalSize>.*?)!!!!(?<DataTransferred>.*?)$"
the TotalSize 1212, 7575.. and DataTransferred are not there at the sample.
(on the sample - TotalSize="54001664", DataTransferred="54001664")
can you please update clearly how these details you found
Yes, thats just for explaining. I was bit lazy not copying the actual values 🙂