Splunk Search

Querying Events in Splunk for MS vs MS Add-on for splunk


I'm sending data from Azure SQL via event hub.   Been using the MS add on for splunk, which as been working pretty well, but as its EOL, trying the Splunk Add-on for Microsoft Cloud Services.   First thing i noticed is how different the logs are stored.

MS Add-on

json is clear.

properties.server_principal_name,  properties.statement

Splunk add on for MS cloud services:

2 -4 records for each event.   Takes 20=30 seconds to render in a search (index=sql).

records{}.properties.server_principal_name, records{}.properties.statement.  each one will have 2-4 values in it (SQLUSER, WEBUSER, OPSUSER).   Strange thing is there will be 2-4 statments or other fields (records{}.properties.succeeded (true,true, true,true).   wHy 3 users and 4 success?

I'm trying to query this thing to get certain traffic such as records{}.properties.server_principal_name="webuser" | table records{}.properties.statement and all records returned but the statements returned are multiple, or simply not statements from WEBUSER.  

My source is correct for audit logs mcsc:azure:eventhub

Is this the way is supposed to act and if so, can i get any pointers on how to spath query this thing working given if i wanted only statements from WEBUSER and that could be the 0,1,2,3 element in a nest on each event?


Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...