Splunk Search

How to make a field extraction for my sample data?

New Member

I want to make a field extraction by the name of Action to show this whole text ,'update ggsourceadmin.monitor set ORACLE_TIME = CURRENT_TIMESTAMP WHERE TABLE_PK = 1',; how should I extract?

0 Karma

Esteemed Legend

You need to show us the entire raw event.

0 Karma


You would have to show us the surrounding text, or examples of different versions, for us to know what to focus on in building the regex.

One thing that I would check on is whether that whole SQL statement ended in a semicolon. If so, that makes it pretty easy to know when to stop. Assuming there is one, then this rex would do it.

| rex "(i)(?update [^;]+;)"

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...