How to create SQL query from log?

jeesphilipz · ‎05-18-2022

Hi

I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments

i want to make a proper procedure call out of it by replacing "?" with actual vales from the arguments

Eg:
Filed1 exec procedureABC arg1 = ?, arg2 = ?, arg3 = ?

Filed2 arg1=EXEC, arg2=472.59, arg3=ABCI want to make a string like this "exec proc1 arg1 = EXEC, arg2 = 472.59, arg3 = ABC"
How can i do this ?

richgalloway · ‎05-18-2022

Assuming the fields are always in the format shown, you can extract the procedure from Field1 and append the contents of Field2 as the arguments.

| rex field=Field1 "(?<call>.*?) arg1"
| eval exec = call . " " . Field2

---
If this reply helps you, Karma would be appreciated.

jeesphilipz · ‎05-18-2022

thanks for the reply

That didn't help me ,

procedure call would be more complex and some times the argument list can have more element in it
eg : exec procedureABC @arg1 = ?, @arg2 = ?, @arg3 = ? in real scenario the procedure call parameter begin with '@'

and the argument list wont have any '@' in it. also argument list can have more than 10 elements so we need a lookup there

How to create SQL query from log?

eval

field extraction

rex

stats

tstats

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

New Year, New Changes for Splunk Certifications

Join the Conversation

How to create SQL query from log?