Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splitting one field into multiple fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
psomeshwar
Path Finder
03-19-2024
06:30 AM
Currently, I have a search that returns the following:
Search:
index=index1 sourcetype=sourcetype1 | table host, software{}host software
hostname cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
hostname cpe:/a:vendor:product:version
...
...
Here, there are multiple software tied to one hostname, and the software is under one field called software{}. What I am looking for is a way to split the software field into 3 fields by extracting the vendor, the product and the version into 3 separate fields to return:
host software_vendor software_product software_version
hostname vendor product version
vendor product version
vendor product version
vendor product version
vendor product version
hostname vendor product version
...
...
Does anyone have any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-19-2024
07:07 AM
There are a few ways to do that. I like to use rex.
| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-19-2024
07:07 AM
There are a few ways to do that. I like to use rex.
| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
psomeshwar
Path Finder
03-19-2024
07:22 AM
Thanks, this did help me, although now, a new problem arose. When I split the fields, they are not listed in the corresponding order. For example, here is how it was shown originally:
host software{}
hostname cpe:/a:vendorA:product2:version3
cpe:/a:vendorB:product3:version1
cpe:/a:vendorC:product1:version2
With the new rex, it now looks like this:
hostname software_vendor software_product software_version
hostname vendorA product1 version1
vendorB product2 version2
vendorC product3 version3
Is there a way to keep the association between the vendor, product and version after the split?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
psomeshwar
Path Finder
03-19-2024
07:33 AM
Never mind, this did not happen. Thanks for the solution!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
