Can I concatenate the arguments contained in Linux...

johnvr · ‎10-11-2018

For example, a standard EXECVE event in my environment will appear as:

type=EXECVE msg=audit($something$) : arg=3 a0=systemctl a1=status a2=auditd.service

I'm attempting to concatenate those so that, in every event, I'll end up with a field, call it "total_argument" where the value in the above circumstance will be "systemctl status auditd.service"

The catch is, the argument number will obviously vary from event to event, and vary wildly - this means a simple eval to add a0, a1, and a2 would work only for the messages that only have 3 arguments.

I'm looking for a way to accomplish this that would concatenate those values regardless of how many arguments the event would have.

Is there a way to accomplish this in Splunk?

renjith_nair · ‎10-12-2018

@johnvr ,

Try

|eval total_argument=""|foreach a* [eval total_argument=if(match("<<FIELD>>","a[0-9].*"),total_argument." ".<<FIELD>>,total_argument) ]

Sample search used,

|makeresults |eval type="EXECVE", msg="audit", arg=3, a0="systemctl", a1="status", a2="auditd.service"|eval total_argument=""
|foreach a* [eval total_argument=if(match("<<FIELD>>","a[0-9].*"),total_argument." ".<<FIELD>>,total_argument) ]

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnvr · ‎10-15-2018

That works! Well, in some cases. In others, not. Investigating. Would this work in props.conf as an eval, or would it have to be an extraction, or...?

index=auditd type=EXECVE, the argc (the count) field is represented in about 96% of events, but that's only working in about 30%.

renjith_nair · ‎10-16-2018

@johnvr , i missed the initialization part eval total_argument="" in the search though its mentioned in the sample search. Updated the answer now. Would be interested to know which case its not working. I doubt the foreacch in props. Instead you can try below also

|rex field=_raw "arg=\d+\s+(?<total_argument>.+)$"|rex field=total_argument mode=sed "s/a\d+=//g"

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnvr · ‎10-18-2018

Getting much better results with the RegEx.

About 70% get parsed.

A couple examples that don't... (the second example makes sense b/c spaces are included in the argument)... I'll mess with this, but let me know if you've got any updates. One thing I've noticed... these EXECVE events end with the final argument. So "$" may be relevant somewhere.

argc=2 a0=df a1=-iP

argc=3 a0=sh a1=-c a2=rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\012' /tmp/prod-lti-number.x86_64.rpm

johnvr · ‎10-18-2018

I'll add that these fields are just being parsed via KV_Mode, which might be part of the problem. It's breaking arguments that have spaces. Therefore, I may need to turn KV_Mode to none, and try regular regex extractions.

johnvr · ‎10-18-2018

Then again... if I push everything to regular regex extractions, I'm going to have to account for any # of arguments... hm...

renjith_nair · ‎10-19-2018

@johnvr,
I just tried with your above examples and it works for me

    | makeresults |eval data="argc=2 a0=df a1=-iP,argc=3 a0=sh a1=-c a2=rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\012' /tmp/prod-lti-number.x86_64.rpm"
    |makemv data delim=","|mvexpand data
    |rex field=data "argc=\d+\s+(?<total_argument>.+)$"|rex field=total_argument mode=sed "s/a\d+=//g"

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎10-11-2018

@johnvr , does this argument has a common pattern in the names to distinguish from other fields?

---
What goes around comes around. If it helps, hit it with Karma 🙂

johnvr · ‎10-12-2018

If I understand what you're asking, the answer is yes. It's always a+digit. a0, a1, a2, etc.

In some cases, I've seen this get into the 100s.

Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!