Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to concatenate a variable number of fields?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafadvega
Path Finder
09-16-2019
04:57 AM
I had the next events examples:
2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local type=EXECVE msg=audit(15687332450.174:771277): argc=2 a0="cat" a1="/proc/cmdline"
2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local type=EXECVE msg=audit(15687123450.174:123277): argc=3 a0="/bin/systemctl" a1="status" a2="ntpd.service"
I need to concatenate de fields a0, a1, a2, a3... etc, but it isn't a fixed number of fields. Can I concatenate a variable number of fields defined by argc field?
Thanks!!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
09-16-2019
05:32 AM
try this
|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")
assumption - your vaues always start with a followed by digit, like a0,a1...a[n]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
09-16-2019
05:32 AM
try this
|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")
assumption - your vaues always start with a followed by digit, like a0,a1...a[n]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schwagem
Engager
12-19-2019
10:41 AM
I think it's more correct to say that the values always start with "a" followed by an integer. Your regex matches 1 or more digits, found by one or more = signs, followed by a literal double-quote character, etc.
My guess is that we don't want the "+" after the "=" sign; it's spurious in any event and it could be a little misleading.
I think the correct regex would look like this: "a\d+=\"(?<y>.*?)\""
You don't need the backslash in front of the = sign, as it's not a metacharacter, but if you want to do it as a matter of style it won't hurt anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafadvega
Path Finder
09-16-2019
06:04 AM
works! you are f...king monster. Thanks!!
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition II
Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
