https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274724#M32070 <P>We're polling an audit file from our SQL server, that includes a field called <STRONG>additional information.</STRONG> This field has a field inside it: </P> <PRE><CODE>&lt;address&gt;field&lt;/address&gt; </CODE></PRE> <P>that I need to be indexed. I may have done something wrong in setting up the input, because I kind of expected this to be an indexed field from the beginning.</P> <P>This is the input:</P> <PRE><CODE>[mi_input://mssql:audit] connection = SQLServer index = main interval = 60 max_rows = 10000 mode = tail output_timestamp_format = YYYY-MM-dd HH:mm:ss query = SELECT * FROM sys.fn_get_audit_file ('M:\\\\AuditFiles\\\\*',default,default) source = dbx2 sourcetype = mssql:audit tail_follow_only = 1 tail_rising_column_name = event_time tail_rising_column_number = 1 ui_query_mode = advanced disabled = 0 tail_rising_column_checkpoint_value = 1449605957973` </CODE></PRE> <P>and this is the result:</P> <PRE><CODE>"2015-12-08 11:15:19" event_time=1449609223316, sequence_number=1, action_id="LGIS", succeeded=1, permission_bitmask=## NOT SUPPORTED TYPE ##, is_column_permission=0, session_id=65, server_principal_id=274, database_principal_id=0, target_server_principal_id=0, target_database_principal_id=0, object_id=0, class_type="LX", session_server_principal_name="xxxx\svcSQLxxxx", server_principal_name="xxxx\svcSQLxxxx", server_principal_sid=## NOT SUPPORTED TYPE ##, target_server_principal_sid=## NOT SUPPORTED TYPE ##, server_instance_name="xxxxxxxxxx", statement="-- network protocol: LPC set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed", additional_information="&lt;action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"&gt;&lt;pooled_connection&gt;1&lt;/pooled_connection&gt;&lt;client_options&gt;0x28000020&lt;/client_options&gt;&lt;client_options1&gt;0x0001f438&lt;/client_options1&gt;&lt;connect_options&gt;0x00000000&lt;/connect_options&gt;&lt;packet_data_size&gt;8000&lt;/packet_data_size&gt;&lt;address&gt;local machine&lt;/address&gt;&lt;is_dac&gt;0&lt;/is_dac&gt;&lt;/action_info&gt;", file_name="M:\AuditFiles\Audit_Logins_Fail_Success_Log_42C90784-3268-445A-94B3-4CD7D392B997_0_130934732017490000.sqlaudit", audit_file_offset=191027200, user_defined_event_id=0` </CODE></PRE> Tue, 08 Dec 2015 16:28:54 GMT banderson7 2015-12-08T16:28:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274724#M32070 <P>We're polling an audit file from our SQL server, that includes a field called <STRONG>additional information.</STRONG> This field has a field inside it: </P> <PRE><CODE>&lt;address&gt;field&lt;/address&gt; </CODE></PRE> <P>that I need to be indexed. I may have done something wrong in setting up the input, because I kind of expected this to be an indexed field from the beginning.</P> <P>This is the input:</P> <PRE><CODE>[mi_input://mssql:audit] connection = SQLServer index = main interval = 60 max_rows = 10000 mode = tail output_timestamp_format = YYYY-MM-dd HH:mm:ss query = SELECT * FROM sys.fn_get_audit_file ('M:\\\\AuditFiles\\\\*',default,default) source = dbx2 sourcetype = mssql:audit tail_follow_only = 1 tail_rising_column_name = event_time tail_rising_column_number = 1 ui_query_mode = advanced disabled = 0 tail_rising_column_checkpoint_value = 1449605957973` </CODE></PRE> <P>and this is the result:</P> <PRE><CODE>"2015-12-08 11:15:19" event_time=1449609223316, sequence_number=1, action_id="LGIS", succeeded=1, permission_bitmask=## NOT SUPPORTED TYPE ##, is_column_permission=0, session_id=65, server_principal_id=274, database_principal_id=0, target_server_principal_id=0, target_database_principal_id=0, object_id=0, class_type="LX", session_server_principal_name="xxxx\svcSQLxxxx", server_principal_name="xxxx\svcSQLxxxx", server_principal_sid=## NOT SUPPORTED TYPE ##, target_server_principal_sid=## NOT SUPPORTED TYPE ##, server_instance_name="xxxxxxxxxx", statement="-- network protocol: LPC set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed", additional_information="&lt;action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"&gt;&lt;pooled_connection&gt;1&lt;/pooled_connection&gt;&lt;client_options&gt;0x28000020&lt;/client_options&gt;&lt;client_options1&gt;0x0001f438&lt;/client_options1&gt;&lt;connect_options&gt;0x00000000&lt;/connect_options&gt;&lt;packet_data_size&gt;8000&lt;/packet_data_size&gt;&lt;address&gt;local machine&lt;/address&gt;&lt;is_dac&gt;0&lt;/is_dac&gt;&lt;/action_info&gt;", file_name="M:\AuditFiles\Audit_Logins_Fail_Success_Log_42C90784-3268-445A-94B3-4CD7D392B997_0_130934732017490000.sqlaudit", audit_file_offset=191027200, user_defined_event_id=0` </CODE></PRE> Tue, 08 Dec 2015 16:28:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274724#M32070 banderson7 2015-12-08T16:28:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274725#M32071 <P>Have you tried to create a search query that gives you what you need? Your best tools are probably spath or xpath in this case. Something like:</P> <PRE><CODE>sourcetype=mssql_audit | spath output=action_info_address path=action_info.address | table action_info_address </CODE></PRE> <P>Xpath syntax is similar, but not exactly the same.</P> <P>Once you have a working extraction at search time, you should be able to create a <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1511/Knowledge/definecalcfields">calculated field</A> in your props.conf so it's indexed ahead of time.</P> Wed, 09 Dec 2015 04:49:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274725#M32071 jamesarmitage 2015-12-09T04:49:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274726#M32072 <P>I see that it should be working, but it's not. The field isn't extracting.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/spath" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/spath</A></P> <PRE><CODE>&lt;action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"&gt; &lt;pooled_connection&gt;1&lt;/pooled_connection&gt; &lt;client_options&gt;0x28000020&lt;/client_options&gt; &lt;client_options1&gt;0x0001f438&lt;/client_options1&gt; &lt;connect_options&gt;0x00000000&lt;/connect_options&gt; &lt;packet_data_size&gt;8000&lt;/packet_data_size&gt; &lt;address&gt;local machine&lt;/address&gt; &lt;is_dac&gt;0&lt;/is_dac&gt; &lt;/action_info&gt;", file_name="M:\AuditFiles\Audit_Logins_Fail_Success_Log_42C90784-3268-445A-94B3-4CD7D392B997_0_130934732017490000.sqlaudit", audit_file_offset=223147008, user_defined_event_id=0 </CODE></PRE> <P>But the action_info_address field isn't extracted for some reason.</P> Tue, 29 Sep 2020 08:08:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-MIcrosoft-SQL-Server-and-DB-Connect-2-How-to/m-p/274726#M32072 banderson7 2020-09-29T08:08:38Z