We recently upgrade the Add-on for Cisco ASA from versión 3.4.0 to 5.0.0.

In versión 3.4.0 KV_MODE was set to Auto and this meant that a lot of informatión from messages from the DAP (734*) was extracted into a named field. I.e. for this log:

Jun 24 13:52:39 fwhost %ASA-7-734003: DAP: User username, Addr A.B.C.D: Session Attribute endpoint.anyconnect.publicmacaddress = "aa-bb-cc-dd-ee-ff"

a field named endpoint_anyconnect_publicmacaddress was created with value aa-bb-cc-dd-ee-ff.

In versión 5.0.0 KV_MODE is none, and they put an extraction in place that creates two different fields:

endpoint_attribute_name with value endpoint.anyconnect.publicmacaddress
endpoint_value with value aa-bb-cc-dd-ee-ff

When looking to just a log this is no problem, but we typically put toghether several logs via the transaction command grouping by user, src, dvc, so all messages from the same connection are grouped.

Now we get two multivalued fields with no aparent (ths might be my ignorance speaking) way to match the attribute name with the value.

I've tried putting mvlist=true on the transaction command and it seems to help, but all other fields get repeated N times (for all messages that get added in the transaction).

Is there a simpler way to be able to match attribute name with the corresponding value after executing transaction with mvlist=false?