Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split multiple lines in a table into separate rows?

jimmynguy
Explorer
‎06-27-2018 07:32 PM

I have some data from Tenable and I am trying to weed out the rows with multiple values into its own row.

alt text

A good example would be is the 4th row with 3 CVE-IDs (CVE-2003-1567, CVE-2004-2320, and CVE-2010-0386).

Instead, I would like to break it out to look like this:

CVE-2003-1567 Disable these methods. Refer to the plugin output for more information.
CVE-2004-2320 Disable these methods. Refer to the plugin output for more information.
CVE-2010-0386 Disable these methods. Refer to the plugin output for more information.

Any ideas?

Thanks

Tags (2)
Preview file
148 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-28-2018 12:46 AM

Sounds like a case for the mvexpand command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand

Try:

...your base search that results in this data...
| mvexpand "CVE ID"

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-28-2018 12:46 AM

Sounds like a case for the mvexpand command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Mvexpand

Try:

...your base search that results in this data...
| mvexpand "CVE ID"
Reply
Solved! Jump to solution

jimmynguy
Explorer
‎06-28-2018 05:24 AM

Frank,

index=tenable_data severity!="informational" hasBeenMitigated=0 
| fields cve, solution
| dedup cve
| mvexpand cve
| rename cve as "CVE ID", solution as "Solution"
| table "CVE ID","Solution"
| sort "CVE ID"

It would have been more useful if I sent you guys my SPL, sorry for not doing that! But, | mvexpand "CVE-ID" would not work, I had to use | mvexpand cve. Could you explain why that is the case? Does | mvexpand not work if a field has been renamed?

Thanks for introducing me to the mvexpand command!!

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎06-28-2018 05:51 AM

If you put the mvexpand command before the rename command, then of course you need to use the original name of the field 🙂

0 Karma
Reply
Solved! Jump to solution

jimmynguy
Explorer
‎06-28-2018 06:57 AM

I swear it didn't work after the rename command.. must have overlooked it or my brain was still asleep.. Anyways, thank you so much for the help! 🙂

Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...