Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i split this field into multiple columns?

marceldera
Explorer
‎08-23-2022 09:57 AM

Filed name = pluginText

<plugin_output>Information about this scan :

Nessus version : 10.3.0

Nessus build : 20080

Plugin feed version : 202208222232

Scanner edition used : Nessus

Scanner OS : LINUX

Scanner distribution : es7-x86-64

Scan type : Normal

Scan name : Host_Discovery & OS_Identification

Scan policy used : 93e1da98-656c-5cd5-933b-ce6665fc0486-1939724/Host_Discovery_Scan_03292022 Scanner IP : 10.102.10.1

Port scanner(s) : nessus_syn_scanner

Port range : sc-default

Ping RTT : 11.921 ms

Thorough tests : no

Experimental tests : no

Plugin debugging enabled : no

Paranoia level : 1

Report verbosity : 1

Safe checks : yes

Optimize the test : yes

Credentialed checks : no

Patch management checks : None

Display superseded patches : yes (supersedence plugin launched)

CGI scanning : disabled

Web application tests : disabled

Max hosts : 30

Max checks : 5

Recv timeout : 5

Backports : None

Allow post-scan editing : Yes

Scan Start Date : 2021/8/10 1:55 UTC

can duration : 63 sec

</plugin_output>

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2022 10:23 AM 
| rex field=pluginText max_match=0 "\s*(?<namevalue>[^:]+ : .+)"
| streamstats count as _row 
| mvexpand namevalue
| rex field=namevalue "(?<name>[^:]+) : (?<value>.+)"
| eval {name}=value
| fields - name value namevalue
| stats values(*) as * by _row

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2022 10:23 AM 
| rex field=pluginText max_match=0 "\s*(?<namevalue>[^:]+ : .+)"
| streamstats count as _row 
| mvexpand namevalue
| rex field=namevalue "(?<name>[^:]+) : (?<value>.+)"
| eval {name}=value
| fields - name value namevalue
| stats values(*) as * by _row
0 Karma
Reply
Solved! Jump to solution

marceldera
Explorer
‎08-23-2022 12:03 PM

Thank you so much, I really appreciate it.  It works perfectly.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...