Splunk Add-on for Oracle Database: Help with extra...

d00680245 · ‎04-28-2022

I'm struggling with some field mapping and not exactly sure the best way to go about this. Below are two different event examples from the sourcetype="oracle:listener:text". I'm wanting the Service and Version fields extracted. I am able to get the Service extracted at search time using regex, but having difficulties with getting the version field. Using the Splunk field extractor I can get this field using two different regex examples, but it doesn't allow me to add two field examples. I receive the following:
"The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings."

Able to extract SERVICE field using REGEX: ^(?:[^=\n]*=){8}(?P<SERVICE_NAME>\w+)

28-APR-2022 10:39:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN2)(VERSION=318767104)) * status * 0

Able to extract VERSION field using REGEX: (?:[^\.\n]*\.){4}\w+\)$\w+=\d+$\)\)\(\w+=(?P<VERSION_NUMBER>\d+)

28-APR-2022 10:39:24 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=ora31-vip.test.com)(PORT=1521)))(VERSION=318767104)) * status * 0

Able to extract another VERSION field from a different event example using the following REGEX: ^(?:[^=\n]*=){9}(?P<VERSION_NUMBER>\d+)

28-APR-2022 10:39:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN2)(VERSION=318767104)) * status * 0

I'm using the latest Splunk Add-on for Oracle Database (https://splunkbase.splunk.com/app/1910/ version 4.1.0) that collects and ingest data from Oracle Database Server.

Looking at the props.conf for Splunk_TA_oracle, it doesn't appear it does anything for these two fields I'm wanting.

[oracle:listener:text]
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\r\n]+)\d+-\w{3}-\d{4}\s+\d+\:\d+\:\d+
KV_MODE = None
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %d-%b-%Y %H:%M:%S

EVAL-app = "oracle"
REPORT-ORACODE = ORACODE
REPORT-CLIENTIP_listener = CLIENTIP_listener
REPORT-DESTIP_listener = DESTIP_listener
REPORT-DESTPORT_listener = DESTPORT_listener
REPORT-CLIENTUSER_listener = CLIENTUSER_listener
REPORT-USER_listener = USER_listener
REPORT-PROGRAM_listener = PROGRAM_listener
REPORT-STATUS_listener = STATUS_listener
EVAL-action = if(STATUS=0, "success", "failure")
FIELDALIAS-dest = DESTIP as dest
FIELDALIAS-src=CLIENTIP as src
FIELDALIAS-src_user = CLIENT_USER as src_user, CLIENT_USER as user
LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION as oracle_listener_action
FIELDALIAS-port = DESTPORT as port

Is it worth trying to get these fields mapped adjusting some things in the oracle app or should I just focus on extracting the fields at search time instead?

VatsalJagani · ‎04-28-2022

@d00680245 - Try the below regexes for your fields instead:

\(SERVICE=(?<SERVICE_NAME>[^)]+)\)

\(VERSION=(?<VERSION_NUMBER>[^)]+)\)

You can either use with EXTRACT in props.conf or REPORT in props.conf and then you can write regex in relevant transforms.conf.

I hope this helps!!!

d00680245 · ‎04-29-2022

Thanks, I appreciate the help. The regex is good and works fine with search. I've tried to define this in the props and transfroms but not sure what I'm missing. Tried to reference similar fields, but still missing something...

I've added REPORT-SERVICE_listener = SERVICE_listener and REPORT-VERSION_listener = VERSION_listener in the props.conf

[oracle:listener:text]
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\r\n]+)\d+-\w{3}-\d{4}\s+\d+\:\d+\:\d+
KV_MODE = None
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %d-%b-%Y %H:%M:%S

EVAL-app = "oracle"
REPORT-ORACODE = ORACODE
REPORT-CLIENTIP_listener = CLIENTIP_listener
REPORT-DESTIP_listener = DESTIP_listener
REPORT-DESTPORT_listener = DESTPORT_listener
REPORT-CLIENTUSER_listener = CLIENTUSER_listener
REPORT-USER_listener = USER_listener
REPORT-SERVICE_listener = SERVICE_listener
REPORT-VERSION_listener = VERSION_listener
REPORT-PROGRAM_listener = PROGRAM_listener
REPORT-STATUS_listener = STATUS_listener
EVAL-action = if(STATUS=0, "success", "failure")
FIELDALIAS-dest = DESTIP as dest
FIELDALIAS-src=CLIENTIP as src
FIELDALIAS-src_user = CLIENT_USER as src_user, CLIENT_USER as user
LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION as oracle_listener_action
FIELDALIAS-port = DESTPORT as port

As for the transforms.conf, I see three sections with [_text],[_xml] and [_listener], but I'm not sure where/ how this should be added?

[SERVICE_text]
REGEX = $SERVICE=(?<SERVICE>[^)]+)$
FORMAT = SERVICE::$1

[VERSION_text]
REGEX = $VERSION=(?<VERSION>[^)]+)$
FORMAT = VERSION::$1

d00680245 · ‎04-29-2022

Should I be able to add something like the following in the props.conf and be ok?
EXTRACT-SERVICE = SERVICE="(?<SERVICE>[^)]+)\) in source

From what I found you would use EXTARCT (inline extraction) defined in props.conf as standalone, whereas REPORT (field transform) is defined in transform.conf and invoked from props.conf. The first would still perform at search time, but second method would be at indexing time?

VatsalJagani · ‎04-30-2022

Yes, you can have below in your props.conf to extract those fields.

EXTRACT-service = \(SERVICE=(?<SERVICE_NAME>[^)]+)\)
EXTRACT-version = \(VERSION=(?<VERSION_NUMBER>[^)]+)\)

I hope this helps!!!

Splunk Add-on for Oracle Database: Help with extracting field or possibly configuring line breaking

configuration

search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!