How to separate OS name and OS version values from a field having combined value?

sh254087 — Tue, 11 Apr 2023 16:30:46 GMT

I have a column that holds OS Name along with it's version details.

os_full_name

CentOS Linux release 7.1.1503 (Core)

CentOS Linux release 7.2.1511 (Core)

CentOS Linux release 7.4.1708 (Core)

Fire Linux OS 6.2.0-42

Microsoft Windows Server 2008 R2 Enterprise Version 6.1.7601 Build 7601

Microsoft Windows Server 2012 R2 Datacenter Version 6.3.9600 Build 9600

Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600

Microsoft Windows Server 2016

Red Hat Enterprise Linux Server release 6.3 (Santiago)

Red Hat Enterprise Linux Server release 6.9 (Santiago)

SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4

SUSE Linux Enterprise Server 12 (x86_64) VERSION = 12 PATCHLEVEL = 3

Ubuntu 14.04.3 LTS

Ubuntu 16.04 LTS

Ubuntu 16.04.3 LTS

VMware ESXi vmnix-x86 5.5.0

I want to split this column so that I get OS name and Version details in separate fields to get something like -

os_full_name	os_name	os_version
CentOS Linux release 7.1.1503 (Core)	CentOS Linux	release 7.1.1503 (Core)
CentOS Linux release 7.2.1511 (Core)	CentOS Linux	release 7.2.1511 (Core)
CentOS Linux release 7.4.1708 (Core)	CentOS Linux	release 7.4.1708 (Core)
Fire Linux OS 6.2.0-42	Fire Linux OS	6.2.0-42
Microsoft Windows Server 2008 R2 Enterprise Version 6.1.7601 Build 7601	Microsoft Windows Server 2008 R2 Enterprise	Version 6.1.7601 Build 7601
Microsoft Windows Server 2012 R2 Datacenter Version 6.3.9600 Build 9600	Microsoft Windows Server 2012 R2 Datacenter	Version 6.3.9600 Build 9600
Microsoft Windows Server 2012 R2 Standard Version 6.3.9600 Build 9600	Microsoft Windows Server 2012 R2 Standard	Version 6.3.9600 Build 9600
Microsoft Windows Server 2016	Microsoft Windows Server 2016
Red Hat Enterprise Linux Server release 6.3 (Santiago)	Red Hat Enterprise Linux Server	release 6.3 (Santiago)
Red Hat Enterprise Linux Server release 6.9 (Santiago)	Red Hat Enterprise Linux Server	release 6.9 (Santiago)
SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4	SUSE Linux Enterprise Server 11 (x86_64)	VERSION = 11 PATCHLEVEL = 4
SUSE Linux Enterprise Server 12 (x86_64) VERSION = 12 PATCHLEVEL = 3	SUSE Linux Enterprise Server 12 (x86_64)	VERSION = 12 PATCHLEVEL = 3
Ubuntu 14.04.3 LTS	Ubuntu	14.04.3 LTS
Ubuntu 16.04 LTS	Ubuntu	16.04 LTS
Ubuntu 16.04.3 LTS	Ubuntu	16.04.3 LTS
VMware ESXi vmnix-x86 5.5.0	VMware ESXi	vmnix-x86 5.5.0

Can someone please help with this?

Re: How to separate OS name and OS version values from a field having combined value

ITWhisperer — Tue, 11 Apr 2023 16:15:45 GMT

OS names and versions don't follow a universal pattern, so you could do multiple rex matches

| rex "(?<os_name>CentOS Linux)\s(?<os_version>.*)" | rex "(?<os_name>Fire Linux OS)\s(?<os_version>.*)" | rex "(?<os_name>Microsoft Windows Server 2008 R2 Enterprise)\s(?<os_version>.*)" | rex "(?<os_name>Microsoft Windows Server 2012 R2 Datacenter)\s(?<os_version>.*)" | rex "(?<os_name>Microsoft Windows Server 2012 R2 Standard)\s(?<os_version>.*)" | rex "(?<os_name>Red Hat Enterprise Linux Server)\s(?<os_version>.*)" | rex "(?<os_name>SUSE Linux Enterprise Server 11 (x86_64))\s(?<os_version>.*)" | rex "(?<os_name>SUSE Linux Enterprise Server 12 (x86_64))\s(?<os_version>.*)" | rex "(?<os_name>Ubuntu)\s(?<os_version>.*)" | rex "(?<os_name>VMware ESXi)\s(?<os_version>.*)"

topic How to separate OS name and OS version values from a field having combined value? in Splunk Search

How to separate OS name and OS version values from a field having combined value?

Re: How to separate OS name and OS version values from a field having combined value