As RichG commented, seeing this sourcetype’s props.conf is going to aid greatly
In lieu of that, however, you can start with the regular expression in this run-anywhere example:
| makeresults
| eval _raw="2023-02-28 15:40:50.760, AUDIT_TYPE=\"Standard\", OS_USERNAME=\"Administrator\", TERMINAL=\"unknown\", DBUSERNAME=\"RACOON\", CLIENT_PROGRAM_NAME=\"SQL Developer\", STATEMENT_ID=\"978\", EVENT_TIMESTAMP=\"2023-02-28 18:40:50.76\", ACTION_NAME=\"ALTER USER\", OBJECT_NAME=\"SPLUNK\", SQL_TEXT=\"ALTER USER \"SPLUNK\" DEFAULT ROLE \"CONNECT\",\"AUDIT_VIEWER\"\", SYSTEM_PRIVILEGE_USED=\"SYSDBA\", CURRENT_USER=\"SYS\", UNIFIED_AUDIT_POLICIES=\"ORA_SECURECONFIG\""
| rex field=_raw "(?<_time>[^,]+),\s+AUDIT_TYPE=\"(?<audit_type>.+?)\",\s+\w+=\"(?<os_username>.+?)\",\s+"
Presuming your sample data string is accurate, you can keep going with the pattern presented to pull all the known fields out of the raw event
It’s going to be very dependent upon knowing the order of your fields, of course, but this is an approach
from User warren – Stack Overflow https://stackoverflow.com/questions/75606730/how-can-i-extract-all-fields-from-my-db-connect-results-in-splunk/75616721#75616721
via IFTTT