Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splitting one field into multiple fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
psomeshwar
Path Finder
03-19-2024
06:30 AM
Currently, I have a search that returns the following:
Search:
index=index1 sourcetype=sourcetype1 | table host, software{}host software
hostname cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
cpe:/a:vendor:product:version
hostname cpe:/a:vendor:product:version
...
...
Here, there are multiple software tied to one hostname, and the software is under one field called software{}. What I am looking for is a way to split the software field into 3 fields by extracting the vendor, the product and the version into 3 separate fields to return:
host software_vendor software_product software_version
hostname vendor product version
vendor product version
vendor product version
vendor product version
vendor product version
hostname vendor product version
...
...
Does anyone have any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-19-2024
07:07 AM
There are a few ways to do that. I like to use rex.
| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
03-19-2024
07:07 AM
There are a few ways to do that. I like to use rex.
| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
psomeshwar
Path Finder
03-19-2024
07:22 AM
Thanks, this did help me, although now, a new problem arose. When I split the fields, they are not listed in the corresponding order. For example, here is how it was shown originally:
host software{}
hostname cpe:/a:vendorA:product2:version3
cpe:/a:vendorB:product3:version1
cpe:/a:vendorC:product1:version2
With the new rex, it now looks like this:
hostname software_vendor software_product software_version
hostname vendorA product1 version1
vendorB product2 version2
vendorC product3 version3
Is there a way to keep the association between the vendor, product and version after the split?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
psomeshwar
Path Finder
03-19-2024
07:33 AM
Never mind, this did not happen. Thanks for the solution!
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
