Solved: split multi value fields

aliroumani · ‎09-03-2016

my dear friends,

I'm running the below search string that give me the following result:
index=qualys IP="" DNS="" cve="*" | table IP DNS cve | dedup IP DNS cve

result:
IP DNS cve
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2010-4094, CVE-2010-0557, CVE-2009-4189, CVE-2009-3548, CVE-2009-3099

as you can see i have multi values in the cve filed seperated by comma.
my question is how to get the result to show as:
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2010-4094
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2010-0557
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2009-4189
etc ...
meaning the i want the IP and DNS filed to be repeated with each single value of cve field and each one will be in new row.

thanks in advance

sundareshr · ‎09-04-2016

Try this.

index=qualys IP="" DNS="" cve="*" | table IP DNS cve | makemv cve delim="," | mvexpand cve | dedup IP DNS cve

View solution in original post

sundareshr · ‎09-04-2016

Try this.

index=qualys IP="" DNS="" cve="*" | table IP DNS cve | makemv cve delim="," | mvexpand cve | dedup IP DNS cve

aliroumani · ‎09-04-2016

perfecttttttttttttttttttttttttttttttttttttttt ...
thank you so much my friend.

split multi value fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation