{"id":71173,"date":"2023-03-02T14:22:05","date_gmt":"2023-03-02T14:22:05","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=71173"},"modified":"2023-03-02T14:22:05","modified_gmt":"2023-03-02T14:22:05","slug":"answer-by-warren-for-how-can-i-extract-all-fields-from-my-db-connect-results-in-splunk","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=71173","title":{"rendered":"Answer by warren for How can I extract all fields from my DB Connect results in Splunk?"},"content":{"rendered":"<p>As RichG commented, seeing this sourcetype&#8217;s <code>props.conf<\/code> is going to aid greatly<\/p>\n<p>In lieu of that, however, you can start with the regular expression in this run-anywhere example:<\/p>\n<pre><code>| makeresults\n| eval _raw=&quot;2023-02-28 15:40:50.760, AUDIT_TYPE=\\&quot;Standard\\&quot;, OS_USERNAME=\\&quot;Administrator\\&quot;, TERMINAL=\\&quot;unknown\\&quot;, DBUSERNAME=\\&quot;RACOON\\&quot;, CLIENT_PROGRAM_NAME=\\&quot;SQL Developer\\&quot;, STATEMENT_ID=\\&quot;978\\&quot;, EVENT_TIMESTAMP=\\&quot;2023-02-28 18:40:50.76\\&quot;, ACTION_NAME=\\&quot;ALTER USER\\&quot;,  OBJECT_NAME=\\&quot;SPLUNK\\&quot;, SQL_TEXT=\\&quot;ALTER USER \\&quot;SPLUNK\\&quot; DEFAULT ROLE \\&quot;CONNECT\\&quot;,\\&quot;AUDIT_VIEWER\\&quot;\\&quot;, SYSTEM_PRIVILEGE_USED=\\&quot;SYSDBA\\&quot;, CURRENT_USER=\\&quot;SYS\\&quot;, UNIFIED_AUDIT_POLICIES=\\&quot;ORA_SECURECONFIG\\&quot;&quot;\n| rex field=_raw &quot;(?&lt;_time&gt;[^,]+),\\s+AUDIT_TYPE=\\&quot;(?&lt;audit_type&gt;.+?)\\&quot;,\\s+\\w+=\\&quot;(?&lt;os_username&gt;.+?)\\&quot;,\\s+&quot;\n<\/code><\/pre>\n<p>Presuming your sample data string is accurate, you can keep going with the pattern presented to pull all the known fields out of the raw event<\/p>\n<p>It&#8217;s going to be <em>very<\/em> dependent upon knowing the order of your fields, of course, but this is an approach<\/p>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/75606730\/how-can-i-extract-all-fields-from-my-db-connect-results-in-splunk\/75616721#75616721<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As RichG commented, seeing this sourcetype&#8217;s props.conf is going to aid greatly In lieu of that, however, you can start with the regular expression in this run-anywhere example: | makeresults | eval _raw=&quot;2023-02-28 15:40:50.760, AUDIT_TYPE=\\&quot;Standard\\&quot;, OS_USERNAME=\\&quot;Administrator\\&quot;, TERMINAL=\\&quot;unknown\\&quot;, DBUSERNAME=\\&quot;RACOON\\&quot;, CLIENT_PROGRAM_NAME=\\&quot;SQL Developer\\&quot;, STATEMENT_ID=\\&quot;978\\&quot;, EVENT_TIMESTAMP=\\&quot;2023-02-28 18:40:50.76\\&quot;, ACTION_NAME=\\&quot;ALTER USER\\&quot;, OBJECT_NAME=\\&quot;SPLUNK\\&quot;, SQL_TEXT=\\&quot;ALTER USER \\&quot;SPLUNK\\&quot; DEFAULT ROLE \\&quot;CONNECT\\&quot;,\\&quot;AUDIT_VIEWER\\&quot;\\&quot;, SYSTEM_PRIVILEGE_USED=\\&quot;SYSDBA\\&quot;, CURRENT_USER=\\&quot;SYS\\&quot;, UNIFIED_AUDIT_POLICIES=\\&quot;ORA_SECURECONFIG\\&quot;&quot; &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=71173\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for How can I extract all fields from my DB Connect results in Splunk?<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-71173","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/71173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=71173"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/71173\/revisions"}],"predecessor-version":[{"id":71174,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/71173\/revisions\/71174"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=71173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=71173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=71173"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=71173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}