Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

extracting fields & values from SQL logs

rizzo75
Path Finder
‎04-02-2014 08:31 AM

I am trying to extract field names and values from SQL logs.
IE - “… INSERT INTO table (COL1, COL2) VALUES ('VAL1', 'VAL2’)”

COL1=VAL1
COL2=VAL2

Any thoughts on how to do this?

Thanks,
Joe

Tags (2)
Reply

rizzo75
Path Finder
‎04-11-2014 01:32 PM

Here is an example of what I went with. Not that I am proud of it. 🙂

| history events=true | head 1 | fields - * _* | eval sql="INSERT INTO `table1` (`field1`, `field2`, `field3`, `field4`) VALUES (0, 1, NULL, 'sometext')"
| rex field=sql "INSERT INTO\s+.(?<tablename>\w+).\s+(?<FIELDS>\(.*\))\s+VALUES\s+(?<VALUES>\(.*\))"
| rex mode=sed field=FIELDS "s/`//g"
| rex mode=sed field=VALUES "s/'//g"
| rex max_match=0 field=FIELDS "\(?(?<MVFIELD>[\s\S]+?)[,)]\s?"
| rex max_match=0 field=VALUES "\(?(?<MVVALUE>[\s\S]+?)[,)]\s?"
| eval _raw=mvzip(MVFIELD,MVVALUE,"=") | extract
| fields - _raw FIELDS VALUES MVFIELD MVVALUE
| table *
Reply

geraldcontreras
Path Finder
‎11-18-2020 10:44 PM

Thank you thank you thank you!

This was exactly what i was after, then i used mvexpand and mvindex with split to split the values to the field

0 Karma
Reply

rizzo75
Path Finder
‎04-02-2014 09:34 AM

I wish I could. I do not have access to the DB.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:33 AM

You might get away with a transforms.conf extraction like this:

[your_stanza]
REGEX = (?i)insert\s*into\s*(?<table>\S+)\s*\((?<_KEY_1>\w+)(?:,\s*(?<_KEY_2>\w+))?(?:,\s*(?<_KEY_3>\w+))?(?:,\s*(?<_KEY_4>\w+))?\)\s*values\s*\('(?<_VAL_1>[^']+)'(?:,\s*'(?<_VAL_2>[^']+)')?(?:,\s*'(?<_VAL_4>[^']+)')?(?:,\s*'(?<_VAL_4>[^']+)')?\)

That's for up to four columns, but you probably see how it's expandable to any number. I didn't test this though, but I'm optimistic it might actually work. For a little background, see http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/transformsconf (search for "_key_").

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2014 09:48 PM

You could create one expression with the maximum expected number of fields, they're all marked as optional.

0 Karma
Reply

rizzo75
Path Finder
‎04-11-2014 01:31 PM

I actually did not try it, but it looks like it would work if the number of fields was static.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-03-2014 01:40 PM

Does it work? I still didn't get around to actually test my expression 😄

0 Karma
Reply

rizzo75
Path Finder
‎04-03-2014 11:26 AM

Ah. Thanks!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:41 AM

This should extract the column names automatically, due to the magic _KEY_x and _VAL_x names.

Reply

rizzo75
Path Finder
‎04-02-2014 09:35 AM

Thanks - that is actually what I am doing now.
I was hoping to automatically extract the field name and values as this is tedious and static.

0 Karma
Reply

aelliott
Motivator
‎04-02-2014 08:56 AM

Have you attempted to use db connect? https://apps.splunk.com/app/958/

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New: Search and Personalization just got a major upgrade!

Hello Splunkers,  We’re excited to share two big upgrades coming to community.splunk.com today. These changes ...

Tech Talk | AI-Powered Data Management

  Now On-Demand   Join our Splunk experts for an exclusive Tech Talk as we explore the Cisco Data Fabric ...

GA: Detection Studio and Exposure Analytics in Enterprise Security (ES) 8.5

In this latest release of Enterprise Security (ES), we are excited to announce that  Detection ...