Solved: Oracle Audit Trail Field Extraction

JSapienza · ‎03-08-2011

I am trying to extract the fields from an Oracle 10g Audit trail. Below is a sample of the raw log :

Tue Feb 15 10:14:44 2011
SESSIONID: "21288516" ENTRYID: "5158831" STATEMENT: "3585703" USERID: "TEST" ACTION: "6" RETURNCODE: "0" OBJ$CREATOR: "TEST" OBJ$NAME: "SR_JOB" OS$USERID: "auditwks"

I have tried this in my transform.cfg :

REGEX = (?:(["']|(")).*?(?<!\\)(?(1)\1|(?(2)"))

FORMAT = $1::$3

But it seem to not be working and im not all that good with regex's. Any assistance is greatly appreciated.

gkanapathy · ‎03-08-2011

Looks to me like you just copied the REGEX from http://answers.splunk.com/questions/12157/oracle-audit-log-regex but that won't work because the format of the data there is completely different from the one you have here.

You might just be able to use:

DELIMS = " ", ":"

instead of a REGEX with this data format, but if you really wanted you could probably use:

REGEX = (\w+):\s+\"([^\"]*)\"
FORMAT = $1::$2

View solution in original post

bvamos · ‎12-20-2011

You can extract the key/value pair with one extraction:
(?i)(?<_KEY_1>\S+):\s+"(?<_VAL_1>[^"]+)"
This will result these fields and values from you log:

SESSIONID=21288516
ENTRYID=5158831
STATEMENT=3585703
USERID=TEST
ACTION=6
RETURNCODE=0
OBJ_CREATOR=TEST
OBJ_NAME=SR_JOB
OS_USERID=auditwks

Note that Splunk is smart enough to replace the $ char in the field name.

gkanapathy · ‎03-08-2011

Looks to me like you just copied the REGEX from http://answers.splunk.com/questions/12157/oracle-audit-log-regex but that won't work because the format of the data there is completely different from the one you have here.

You might just be able to use:

DELIMS = " ", ":"

instead of a REGEX with this data format, but if you really wanted you could probably use:

REGEX = (\w+):\s+\"([^\"]*)\"
FORMAT = $1::$2

gkanapathy · ‎03-10-2011

Search time is preferred most of the time, and definitely better in this case. Index time is both slower and less flexible.

JSapienza · ‎03-09-2011

Couldn't get the extraction to work at index time for some reason. But, I resolved this issue with a few search time extractions.
Example:
(?im)USERID:\s\"(?P.+?)\"

JSapienza · ‎03-08-2011

OK , I tried both the DELIMS and the modified REGEX and the fields still were not extracted. I am getting new events but the fields are not showing .. its the darnedest thing. Any ideas ?

JSapienza · ‎03-08-2011

Yea I was just looking at that. I copied the wrong REGEX when I was reading that post. oops.. I edited my original post but I will try your suggestion. Thanks!

Oracle Audit Trail Field Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation