I'm sending data from Azure SQL via event hub. Been using the MS add on for splunk, which as been working pretty well, but as its EOL, trying the Splunk Add-on for Microsoft Cloud Services. First thing i noticed is how different the logs are stored.
MS Add-on
json is clear.
properties.server_principal_name, properties.statement
Splunk add on for MS cloud services:
2 -4 records for each event. Takes 20=30 seconds to render in a search (index=sql).
records{}.properties.server_principal_name, records{}.properties.statement. each one will have 2-4 values in it (SQLUSER, WEBUSER, OPSUSER). Strange thing is there will be 2-4 statments or other fields (records{}.properties.succeeded (true,true, true,true). wHy 3 users and 4 success?
I'm trying to query this thing to get certain traffic such as records{}.properties.server_principal_name="webuser" | table records{}.properties.statement and all records returned but the statements returned are multiple, or simply not statements from WEBUSER.
My source is correct for audit logs mcsc:azure:eventhub
Is this the way is supposed to act and if so, can i get any pointers on how to spath query this thing working given if i wanted only statements from WEBUSER and that could be the 0,1,2,3 element in a nest on each event?