Splunk Search

How to concatenate a variable number of fields?

rafadvega
Path Finder

I had the next events examples:

2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local  type=EXECVE msg=audit(15687332450.174:771277): argc=2 a0="cat" a1="/proc/cmdline"

2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local  type=EXECVE msg=audit(15687123450.174:123277): argc=3 a0="/bin/systemctl" a1="status" a2="ntpd.service"

I need to concatenate de fields a0, a1, a2, a3... etc, but it isn't a fixed number of fields. Can I concatenate a variable number of fields defined by argc field?

Thanks!!

1 Solution

Sukisen1981
Champion

try this

|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")

assumption - your vaues always start with a followed by digit, like a0,a1...a[n]

View solution in original post

Sukisen1981
Champion

try this

|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")

assumption - your vaues always start with a followed by digit, like a0,a1...a[n]

schwagem
Engager

I think it's more correct to say that the values always start with "a" followed by an integer. Your regex matches 1 or more digits, found by one or more = signs, followed by a literal double-quote character, etc.

My guess is that we don't want the "+" after the "=" sign; it's spurious in any event and it could be a little misleading.

I think the correct regex would look like this: "a\d+=\"(?<y>.*?)\""

You don't need the backslash in front of the = sign, as it's not a metacharacter, but if you want to do it as a matter of style it won't hurt anything.

0 Karma

rafadvega
Path Finder

works! you are f...king monster. Thanks!!

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...