Splunk Search

Best way to combine a variable number of fields into a single field


The Linux audit daemon can track the execution of individual commands. Each part of the command is stored in a separate field such as:

a0=/bin/sh a1=/sbin/service a2=auditd a3=status

What is the easiest way to combine an arbitrary number of different fields that share a common naming scheme into a single field, such that the example above would look like:

"/sbin/service auditd status"

Would you use rex set to match multiple times for something like: "a\d\=(?P<command>\S+)" and then make it a multivalued field with a space for a delimiter?



Tags (1)
0 Karma

Splunk Employee
Splunk Employee

A cheating way to do this would be to run it through sed, like so
| rex field=_raw mode=sed "s/a\d=//g"

0 Karma