Splunk Search

How to create SQL query from log?

jeesphilipz
New Member

Hi 

I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments 

i want to make a proper procedure call out of it by replacing "?"  with actual vales from the arguments 

Eg: 
Filed1  exec procedureABC arg1 = ?, arg2 = ?, arg3 = ?

Filed2  arg1=EXEC, arg2=472.59, arg3=ABCI want to make a string like this  "exec proc1 arg1 = EXEC, arg2 = 472.59, arg3 = ABC"
How can i do this ?

Labels (5)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming the fields are always in the format shown, you can extract the procedure from Field1 and append the contents of Field2 as the arguments.

| rex field=Field1 "(?<call>.*?) arg1"
| eval exec = call . " " . Field2
---
If this reply helps you, Karma would be appreciated.
0 Karma

jeesphilipz
New Member

thanks for the reply 

That didn't  help me , 

procedure call would be more complex and some times the argument list can have more element in it 
eg : exec procedureABC @arg1 = ?,  @arg2 = ?,  @arg3 = ?  in real scenario the procedure call parameter begin with '@' 

and the argument list wont have any '@' in it.  also argument list can have more than 10 elements so we need a lookup there 

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...