Splunk Search

Oracle Audit Trail Field Extraction

JSapienza
Contributor

I am trying to extract the fields from an Oracle 10g Audit trail. Below is a sample of the raw log :

Tue Feb 15 10:14:44 2011
SESSIONID: "21288516" ENTRYID: "5158831" STATEMENT: "3585703" USERID: "TEST" ACTION: "6" RETURNCODE: "0" OBJ$CREATOR: "TEST" OBJ$NAME: "SR_JOB" OS$USERID: "auditwks" 

I have tried this in my transform.cfg :

REGEX = (?:(["']|(")).*?(?<!\\)(?(1)\1|(?(2)"))

FORMAT = $1::$3

But it seem to not be working and im not all that good with regex's. Any assistance is greatly appreciated.

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Looks to me like you just copied the REGEX from http://answers.splunk.com/questions/12157/oracle-audit-log-regex but that won't work because the format of the data there is completely different from the one you have here.

You might just be able to use:

DELIMS = " ", ":"

instead of a REGEX with this data format, but if you really wanted you could probably use:

REGEX = (\w+):\s+\"([^\"]*)\"
FORMAT = $1::$2

View solution in original post

0 Karma

bvamos
Explorer

You can extract the key/value pair with one extraction:
(?i)(?<_KEY_1>\S+):\s+"(?<_VAL_1>[^"]+)"
This will result these fields and values from you log:

SESSIONID=21288516
ENTRYID=5158831
STATEMENT=3585703
USERID=TEST
ACTION=6
RETURNCODE=0
OBJ_CREATOR=TEST
OBJ_NAME=SR_JOB
OS_USERID=auditwks

Note that Splunk is smart enough to replace the $ char in the field name.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Looks to me like you just copied the REGEX from http://answers.splunk.com/questions/12157/oracle-audit-log-regex but that won't work because the format of the data there is completely different from the one you have here.

You might just be able to use:

DELIMS = " ", ":"

instead of a REGEX with this data format, but if you really wanted you could probably use:

REGEX = (\w+):\s+\"([^\"]*)\"
FORMAT = $1::$2
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Search time is preferred most of the time, and definitely better in this case. Index time is both slower and less flexible.

0 Karma

JSapienza
Contributor

Couldn't get the extraction to work at index time for some reason. But, I resolved this issue with a few search time extractions.
Example:
(?im)USERID:\s\"(?P.+?)\"

0 Karma

JSapienza
Contributor

OK , I tried both the DELIMS and the modified REGEX and the fields still were not extracted. I am getting new events but the fields are not showing .. its the darnedest thing. Any ideas ?

0 Karma

JSapienza
Contributor

Yea I was just looking at that. I copied the wrong REGEX when I was reading that post. oops.. I edited my original post but I will try your suggestion. Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...