Splunk Search

Querying Events in Splunk for MS vs MS Add-on for splunk

zippo706
Explorer

I'm sending data from Azure SQL via event hub.   Been using the MS add on for splunk, which as been working pretty well, but as its EOL, trying the Splunk Add-on for Microsoft Cloud Services.   First thing i noticed is how different the logs are stored.

MS Add-on

json is clear.

properties.server_principal_name,  properties.statement

Splunk add on for MS cloud services:

2 -4 records for each event.   Takes 20=30 seconds to render in a search (index=sql).

records{}.properties.server_principal_name, records{}.properties.statement.  each one will have 2-4 values in it (SQLUSER, WEBUSER, OPSUSER).   Strange thing is there will be 2-4 statments or other fields (records{}.properties.succeeded (true,true, true,true).   wHy 3 users and 4 success?

I'm trying to query this thing to get certain traffic such as records{}.properties.server_principal_name="webuser" | table records{}.properties.statement and all records returned but the statements returned are multiple, or simply not statements from WEBUSER.  

My source is correct for audit logs mcsc:azure:eventhub

Is this the way is supposed to act and if so, can i get any pointers on how to spath query this thing working given if i wanted only statements from WEBUSER and that could be the 0,1,2,3 element in a nest on each event?

 

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...