Hello @sushraw Can you please try appending below - | makemv CmdArgAV
| eval CmdArgAV = replace(CmdArgAV, "\n", ", ") The final results based on the sample event you shared would be - | makeresults
| eval _raw="Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=<device_IP>, DestinationIPAddress=<device_IP>, DestinationPort=49, UserName=<user>, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=<device_name>"
| rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]"
| rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)"
| makemv CmdArgAV
| eval CmdArgAV = replace(CmdArgAV, "\n", ", ") Below screenshot for your reference - If this reply helps you, Karma would be appreciated.
... View more