I had the next events examples:
2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local type=EXECVE msg=audit(15687332450.174:771277): argc=2 a0="cat" a1="/proc/cmdline" 2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local type=EXECVE msg=audit(15687123450.174:123277): argc=3 a0="/bin/systemctl" a1="status" a2="ntpd.service"
I need to concatenate de fields a0, a1, a2, a3... etc, but it isn't a fixed number of fields. Can I concatenate a variable number of fields defined by argc field?
|rex field=_raw "a\d+\=+\"(?<y>.*?)\"" max_match=0|table argc,y| eval combo=mvjoin(y, "")
assumption - your vaues always start with a followed by digit, like a0,a1...a[n]
I think it's more correct to say that the values always start with "a" followed by an integer. Your regex matches 1 or more digits, found by one or more = signs, followed by a literal double-quote character, etc.
My guess is that we don't want the "+" after the "=" sign; it's spurious in any event and it could be a little misleading.
I think the correct regex would look like this:
You don't need the backslash in front of the = sign, as it's not a metacharacter, but if you want to do it as a matter of style it won't hurt anything.