Hi @hmostafa , you can use Splunk  Add-on for Oracle Database to connect oracle with Splunk.
https://splunkbase.splunk.com/app/1910

It collect and ingest data from the Oracle Database Server. This add-on can import data directly by monitoring the standard and fine-grained audit trails, trace files, incident, alert, listener, and other logs on the operating system where the Oracle Database Server is installed. Through log file monitoring and field extraction, the database administrator can create alerts and dashboards to track what errors, problems, or incidents happen to the database in real time.

Adding a link of steps to configure this Add-on.
https://docs.splunk.com/Documentation/AddOns/released/Oracle/Configuremonitorinputs

--------------------------------------------------------

If this helps your like will be appreciated😀

Hi,

Not sure what you are exactly trying to achieve (or ask).

But if you are trying to ingest the audit logging with the Splunk Add-on for Oracle Database I suggest you read the following:

https://docs.splunk.com/Documentation/AddOns/released/Oracle/Configuremonitorinputs

An example for Oracle 12c inputs:

[monitor:///u01/app/oracle/admin/*/adump/*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/admin/*/adump/*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/alert/log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/tnslsnr/*/listener/alert/log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/trace/*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/incident/incdir*/*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE