Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to concatenate a variable number of fields?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafadvega
Path Finder
09-16-2019
04:57 AM
I had the next events examples:
2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local type=EXECVE msg=audit(15687332450.174:771277): argc=2 a0="cat" a1="/proc/cmdline"
2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local type=EXECVE msg=audit(15687123450.174:123277): argc=3 a0="/bin/systemctl" a1="status" a2="ntpd.service"
I need to concatenate de fields a0, a1, a2, a3... etc, but it isn't a fixed number of fields. Can I concatenate a variable number of fields defined by argc field?
Thanks!!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
09-16-2019
05:32 AM
try this
|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")
assumption - your vaues always start with a followed by digit, like a0,a1...a[n]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981
Champion
09-16-2019
05:32 AM
try this
|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")
assumption - your vaues always start with a followed by digit, like a0,a1...a[n]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
schwagem
Engager
12-19-2019
10:41 AM
I think it's more correct to say that the values always start with "a" followed by an integer. Your regex matches 1 or more digits, found by one or more = signs, followed by a literal double-quote character, etc.
My guess is that we don't want the "+" after the "=" sign; it's spurious in any event and it could be a little misleading.
I think the correct regex would look like this: "a\d+=\"(?<y>.*?)\""
You don't need the backslash in front of the = sign, as it's not a metacharacter, but if you want to do it as a matter of style it won't hurt anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafadvega
Path Finder
09-16-2019
06:04 AM
works! you are f...king monster. Thanks!!
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
