That works! Well, in some cases. In others, not. Investigating. Would this work in props.conf as an eval, or would it have to be an extraction, or...?

index=auditd type=EXECVE, the argc (the count) field is represented in about 96% of events, but that's only working in about 30%.

@johnvr , i missed the initialization part eval total_argument="" in the search though its mentioned in the sample search. Updated the answer now. Would be interested to know which case its not working. I doubt the foreacch in props. Instead you can try below also

|rex field=_raw "arg=\d+\s+(?<total_argument>.+)$"|rex field=total_argument mode=sed "s/a\d+=//g"

Getting much better results with the RegEx.

About 70% get parsed.

A couple examples that don't... (the second example makes sense b/c spaces are included in the argument)... I'll mess with this, but let me know if you've got any updates. One thing I've noticed... these EXECVE events end with the final argument. So "$" may be relevant somewhere.

argc=2 a0=df a1=-iP

argc=3 a0=sh a1=-c a2=rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\012' /tmp/prod-lti-number.x86_64.rpm

I'll add that these fields are just being parsed via KV_Mode, which might be part of the problem. It's breaking arguments that have spaces. Therefore, I may need to turn KV_Mode to none, and try regular regex extractions.

Then again... if I push everything to regular regex extractions, I'm going to have to account for any # of arguments... hm...

@johnvr,
I just tried with your above examples and it works for me

    | makeresults |eval data="argc=2 a0=df a1=-iP,argc=3 a0=sh a1=-c a2=rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\012' /tmp/prod-lti-number.x86_64.rpm"
    |makemv data delim=","|mvexpand data
    |rex field=data "argc=\d+\s+(?<total_argument>.+)$"|rex field=total_argument mode=sed "s/a\d+=//g"

If I understand what you're asking, the answer is yes. It's always a+digit. a0, a1, a2, etc.

In some cases, I've seen this get into the 100s.