Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to terminate an extracted field at a specific ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a log entry that looks like the following:
04/18/2012 09:41:36 AM
LogName=Application
SourceName=MSSQLSERVER
EventCode=33205
EventType=0
Type=Information
ComputerName=Computer_Name
TaskCategory=None
OpCode=None
RecordNumber=193724
Keywords=Audit Success, Classic
Message=Audit event: event_time:2012-04-18 14:41:35.6506383
sequence_number:1
action_id:SL
succeeded:true
permission_bitmask:1
is_column_permission:true
session_id:261
server_principal_id:2
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:310160421
class_type:U
session_server_principal_name:user
server_principal_name:user
server_principal_sid:random_number
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:Computer_Name
database_name:dbName
schema_name:dbo
object_name:TableName
statement:select *
from TableName order by CreateDate desc
additional_information:
.
I am attempting to only extract the object_name field out of the Message from the event log entry(this log came from the Windows Application Event Log). Going through the field extraction UI I generated the following extraction:
(?i)object_name:(?P<SQL_AUDIT_OBJECT>.+\s)
I would like to be able to parse the object_name field from within the message up to the word 'statement:'. This would allow me to capture database objects that might have a space in them. The extraction created in the wizard (noted above) yields the remainder of the message including the statement and additional information in the extracted field. This causes a problem when it comes to grouping by the object_name extraction.
Any help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If its really terminated by linefeed, you could do something like this instead
(?i)object_name:(?P<SQL_AUDIT_OBJECT>[^\n]+)
That will find everything till the end of the line. I think the problem your having is that the .+ is greedy. I usually try to do regex where i don't use .
If its not line feed terminated and the above is formatted for our benefit, you could do
(?i)object_name:(?P<SQL_AUDIT_OBJECT>[^\s]+)
which will break at the first whitespace character (tab, space, linefeed, etc.)
rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If its really terminated by linefeed, you could do something like this instead
(?i)object_name:(?P<SQL_AUDIT_OBJECT>[^\n]+)
That will find everything till the end of the line. I think the problem your having is that the .+ is greedy. I usually try to do regex where i don't use .
If its not line feed terminated and the above is formatted for our benefit, you could do
(?i)object_name:(?P<SQL_AUDIT_OBJECT>[^\s]+)
which will break at the first whitespace character (tab, space, linefeed, etc.)
rob
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
