Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting one field into multiple fields

psomeshwar
Path Finder
‎03-19-2024 06:30 AM

Currently, I have a search that returns the following:

Search:

index=index1 sourcetype=sourcetype1 | table host, software{}

host                 software

hostname       cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
                            cpe:/a:vendor:product:version
hostname       cpe:/a:vendor:product:version
                            ...
                            ...

Here, there are multiple software tied to one hostname, and the software is under one field called software{}. What I am looking for is a way to split the software field into 3 fields by extracting the vendor, the product and the version into 3 separate fields to return:

host                 software_vendor                   software_product             software_version

hostname       vendor                                       product                                  version
                            vendor                                       product                                  version
                            vendor                                       product                                  version
                            vendor                                       product                                  version
                            vendor                                       product                                  version
hostname       vendor                                       product                                  version
                            ...
                            ...

Does anyone have any ideas?

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-19-2024 07:07 AM

There are a few ways to do that.  I like to use rex.

| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-19-2024 07:07 AM

There are a few ways to do that.  I like to use rex.

| rex field=software "cpe:\/a:(?<software_vendor>[^:]+):(?<software_product>[^:]+):(?<software_version>.*)"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-19-2024 07:22 AM

Thanks, this did help me, although now, a new problem arose. When I split the fields, they are not listed in the corresponding order. For example, here is how it was shown originally:

host                        software{}

hostname            cpe:/a:vendorA:product2:version3
                                 cpe:/a:vendorB:product3:version1
                                 cpe:/a:vendorC:product1:version2

 

With the new rex, it now looks like this:

hostname               software_vendor                 software_product              software_version

hostname               vendorA                                   product1                                 version1
                                    vendorB                                   product2                                 version2
                                    vendorC                                   product3                                  version3

Is there a way to keep the association between the vendor, product and version after the split?

0 Karma
Reply
Solved! Jump to solution

psomeshwar
Path Finder
‎03-19-2024 07:33 AM

Never mind, this did not happen. Thanks for the solution!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...