How to create SQL query from log?

jeesphilipz · ‎05-18-2022

Hi

I have two files Filed1 and Filed2, Fileld1 is procedure call and Files 2 is the arguments

i want to make a proper procedure call out of it by replacing "?" with actual vales from the arguments

Eg:
Filed1 exec procedureABC arg1 = ?, arg2 = ?, arg3 = ?

Filed2 arg1=EXEC, arg2=472.59, arg3=ABCI want to make a string like this "exec proc1 arg1 = EXEC, arg2 = 472.59, arg3 = ABC"
How can i do this ?

richgalloway · ‎05-18-2022

Assuming the fields are always in the format shown, you can extract the procedure from Field1 and append the contents of Field2 as the arguments.

| rex field=Field1 "(?<call>.*?) arg1"
| eval exec = call . " " . Field2

---
If this reply helps you, Karma would be appreciated.

jeesphilipz · ‎05-18-2022

thanks for the reply

That didn't help me ,

procedure call would be more complex and some times the argument list can have more element in it
eg : exec procedureABC @arg1 = ?, @arg2 = ?, @arg3 = ? in real scenario the procedure call parameter begin with '@'

and the argument list wont have any '@' in it. also argument list can have more than 10 elements so we need a lookup there

How to create SQL query from log?

eval

field extraction

rex

stats

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

How to create SQL query from log?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.