I believe I figured it out:

index=server_logs sourcetype="tenable:sc:vuln" pluginName="Software Enumeration (SSH)" dnsName = "$server$"
| rex field=pluginText "Linux system\s\:\s+(?<RPM>[^<]+)"
| rex field=RPM mode=sed "s/\s+/;/g"
| makemv RPM delim=";"
| mvexpand RPM | search RPM="kernel*"
| table dnsName RPM
| dedup dnsName RPM

Unfortunately it includes any kernel-* items not just what I am looking for (i.e. kernel-3.10.*).  If I could limit it to kernel-3* and kernel-2* I think it would get what I need... Any way to do that?  Thanks!