Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting one field into multiple fields

psomeshwar
Path Finder
‎03-19-2024 06:30 AM

Currently, I have a search that returns the following:

Search:

index=index1 sourcetype=sourcetype1 | table host, software{}

host                 software

hostname       cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
hostname       cpe:/a:vendor:product:version
                            ...
                            ...

Here, there are multiple software tied to one hostname, and the software is under one field called software{}. What I am looking for is a way to split the software field into 3 fields by extracting the vendor, the product and the version into 3 separate fields to return:

host                 software_vendor                   software_product             software_version

hostname       vendor                                       product                                  version
                            vendor                                       product                                  version
                            vendor                                       product                                  version
                            vendor                                       product                                  version
                            vendor                                       product                                  version
hostname       vendor                                       product                                  version
                            ...
                            ...

Does anyone have any ideas?

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-19-2024 07:07 AM

There are a few ways to do that.  I like to use rex.

| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-19-2024 07:07 AM

There are a few ways to do that.  I like to use rex.

| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-19-2024 07:22 AM

Thanks, this did help me, although now, a new problem arose. When I split the fields, they are not listed in the corresponding order. For example, here is how it was shown originally:

host                        software{}

hostname            cpe:/a:vendorA:product2:version3
                                 cpe:/a:vendorB:product3:version1
                                 cpe:/a:vendorC:product1:version2

 

With the new rex, it now looks like this:

hostname               software_vendor                 software_product              software_version

hostname               vendorA                                   product1                                 version1
                                    vendorB                                   product2                                 version2
                                    vendorC                                   product3                                  version3

Is there a way to keep the association between the vendor, product and version after the split?

0 Karma
Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-19-2024 07:33 AM

Never mind, this did not happen. Thanks for the solution!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...