index=app_pc "Last Executed SQL" "Tablespace"
| rex field=_raw <SERVICE_NAME>(?<SERVICE_NAME>.*)</SERVICE_NAME>
| rex field=_raw <HOSTt>(?<HOST>.*)</HOST>
| rex field=_raw <host>(?<host>.*)</host>
| rex field=_raw <CONNECT_DATA>(?<CONNECT_DATA>.*)</CONNECT_DATA>
| rex field=_raw <source>(?<source>.*)</source>
| rex field=_raw <index>(?<index>.*)</index>
| rex field=_raw <sql>(?<sql>.*)</sql>
| rex field=_raw <tablel>(?<tablel>.*)</table>
|eval hour=strftime(_time,"%H")
|eval minute=strftime(_time,"%M")
|table _time, SERVICE_NAME, HOST, host,CONNECT_DATA, source, index, sql, table

I know not correct but trying to extract index and tables name of table running out of space

unable to extend index PCR.PC0000009BU5 by 8192 in tablespace PCR

and table name from SQL in Splunk. 

SELECT COUNT(*)

FROM (SELECT /* ISNULL:pcx_availablevolexcesses_ext.EffectiveDate:, ISNULL:pcx_availablevolexcesses_ext.ExpirationDate:; */ 1 as countCol

FROM pcx_availablevolexcesses_ext pcx_availablevolexcesses_ext INNER JOIN pc_policyperiod policyperiod_0 ON policyperiod_0.ID=pcx_availablevolexcesses_ext.BranchID

WHERE pcx_availablevolexcesses_ext.BranchID = ? AND ((((pcx_availablevolexcesses_ext.ExpirationDate IS NULL) OR (pcx_availablevolexcesses_ext.EffectiveDate IS NULL AND pcx_availablevolexcesses_ext.ExpirationDate <> ? AND pcx_availablevolexcesses_ext.ExpirationDate IS NOT NULL) OR (pcx_availablevolexcesses_ext.ExpirationDate <> pcx_availablevolexcesses_ext.EffectiveDate)))) AND policyperiod_0.Retired = 0 AND policyperiod_0.TemporaryBranch = '0') countTable