Cutting or parsing specific characters out of a filtered variable

I am dealing with a filter where it pulls out sudo commands from RHEL 6 OS.

An example is this: "argc=2 a0=sudo a1=chpasswd"
I currently in my grok filter use this command to assign it to a variable: ".*argc=%{DATA:CMD}\d{2}"
results in: "2 a0=sudo a1=chpasswd"

My question is how can I still get that data filtered for my variable CMD, but remove the "2 a0=" and the "a1=" so that the results for CMD ends up being: "sudo chpasswd"?

Thanks for the help!

I apologize for the awful ugliness of this code, but

    kv { source => "message" target => "[@metadata][kvdata]" }
    ruby {
        code => '
            kvdata = event.get("[@metadata][kvdata]")
            i = 0
            s = ""
            while v = kvdata["a#{i}"]
                s += v + " "
                i += 1
            event.set("someField", s.chomp(" "))

Is there a way to do it without looping?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.