Solved: split multi value fields

aliroumani · ‎09-03-2016

my dear friends,

I'm running the below search string that give me the following result:
index=qualys IP="" DNS="" cve="*" | table IP DNS cve | dedup IP DNS cve

result:
IP DNS cve
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2010-4094, CVE-2010-0557, CVE-2009-4189, CVE-2009-3548, CVE-2009-3099

as you can see i have multi values in the cve filed seperated by comma.
my question is how to get the result to show as:
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2010-4094
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2010-0557
10.252.64.84 horemedysso2v.alrajhi.bank CVE-2009-4189
etc ...
meaning the i want the IP and DNS filed to be repeated with each single value of cve field and each one will be in new row.

thanks in advance

sundareshr · ‎09-04-2016

Try this.

index=qualys IP="" DNS="" cve="*" | table IP DNS cve | makemv cve delim="," | mvexpand cve | dedup IP DNS cve

View solution in original post

sundareshr · ‎09-04-2016

Try this.

index=qualys IP="" DNS="" cve="*" | table IP DNS cve | makemv cve delim="," | mvexpand cve | dedup IP DNS cve

aliroumani · ‎09-04-2016

perfecttttttttttttttttttttttttttttttttttttttt ...
thank you so much my friend.

split multi value fields

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!