Solved: How to concatenate a variable number of fields?

rafadvega · ‎09-16-2019

I had the next events examples:

2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local  type=EXECVE msg=audit(15687332450.174:771277): argc=2 a0="cat" a1="/proc/cmdline"

2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local  type=EXECVE msg=audit(15687123450.174:123277): argc=3 a0="/bin/systemctl" a1="status" a2="ntpd.service"

I need to concatenate de fields a0, a1, a2, a3... etc, but it isn't a fixed number of fields. Can I concatenate a variable number of fields defined by argc field?

Thanks!!

Sukisen1981 · ‎09-16-2019

try this

|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")

assumption - your vaues always start with a followed by digit, like a0,a1...a[n]

View solution in original post

Sukisen1981 · ‎09-16-2019

try this

|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")

assumption - your vaues always start with a followed by digit, like a0,a1...a[n]

schwagem · ‎12-19-2019

I think it's more correct to say that the values always start with "a" followed by an integer. Your regex matches 1 or more digits, found by one or more = signs, followed by a literal double-quote character, etc.

My guess is that we don't want the "+" after the "=" sign; it's spurious in any event and it could be a little misleading.

I think the correct regex would look like this: "a\d+=\"(?<y>.*?)\""

You don't need the backslash in front of the = sign, as it's not a metacharacter, but if you want to do it as a matter of style it won't hurt anything.

rafadvega · ‎09-16-2019

works! you are f...king monster. Thanks!!

How to concatenate a variable number of fields?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies