Splunk Search

How to create SQL query from log?

New Member


I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments 

i want to make a proper procedure call out of it by replacing "?"  with actual vales from the arguments 

Filed1  exec procedureABC arg1 = ?, arg2 = ?, arg3 = ?

Filed2  arg1=EXEC, arg2=472.59, arg3=ABCI want to make a string like this  "exec proc1 arg1 = EXEC, arg2 = 472.59, arg3 = ABC"
How can i do this ?

Labels (5)
Tags (1)
0 Karma


Assuming the fields are always in the format shown, you can extract the procedure from Field1 and append the contents of Field2 as the arguments.

| rex field=Field1 "(?<call>.*?) arg1"
| eval exec = call . " " . Field2
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

thanks for the reply 

That didn't  help me , 

procedure call would be more complex and some times the argument list can have more element in it 
eg : exec procedureABC @arg1 = ?,  @arg2 = ?,  @arg3 = ?  in real scenario the procedure call parameter begin with '@' 

and the argument list wont have any '@' in it.  also argument list can have more than 10 elements so we need a lookup there 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...