Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extracting fields & values from SQL logs

rizzo75
Path Finder
‎04-02-2014 08:31 AM

I am trying to extract field names and values from SQL logs.
IE - “… INSERT INTO table (COL1, COL2) VALUES ('VAL1', 'VAL2’)”

COL1=VAL1
COL2=VAL2

Any thoughts on how to do this?

Thanks,
Joe

Tags (2)
Reply

rizzo75
Path Finder
‎04-11-2014 01:32 PM

Here is an example of what I went with. Not that I am proud of it. 🙂

| history events=true | head 1 | fields - * _* | eval sql="INSERT INTO `table1` (`field1`, `field2`, `field3`, `field4`) VALUES (0, 1, NULL, 'sometext')"
| rex field=sql "INSERT INTO\s+.(?<tablename>\w+).\s+(?<FIELDS>\(.*\))\s+VALUES\s+(?<VALUES>\(.*\))"
| rex mode=sed field=FIELDS "s/`//g"
| rex mode=sed field=VALUES "s/'//g"
| rex max_match=0 field=FIELDS "\(?(?<MVFIELD>[\s\S]+?)[,)]\s?"
| rex max_match=0 field=VALUES "\(?(?<MVVALUE>[\s\S]+?)[,)]\s?"
| eval _raw=mvzip(MVFIELD,MVVALUE,"=") | extract
| fields - _raw FIELDS VALUES MVFIELD MVVALUE
| table *
Reply

geraldcontreras
Path Finder
‎11-18-2020 10:44 PM

Thank you thank you thank you!

This was exactly what i was after, then i used mvexpand and mvindex with split to split the values to the field

0 Karma
Reply

rizzo75
Path Finder
‎04-02-2014 09:34 AM

I wish I could. I do not have access to the DB.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:33 AM

You might get away with a transforms.conf extraction like this:

[your_stanza]
REGEX = (?i)insert\s*into\s*(?<table>\S+)\s*\((?<_KEY_1>\w+)(?:,\s*(?<_KEY_2>\w+))?(?:,\s*(?<_KEY_3>\w+))?(?:,\s*(?<_KEY_4>\w+))?\)\s*values\s*\('(?<_VAL_1>[^']+)'(?:,\s*'(?<_VAL_2>[^']+)')?(?:,\s*'(?<_VAL_4>[^']+)')?(?:,\s*'(?<_VAL_4>[^']+)')?\)

That's for up to four columns, but you probably see how it's expandable to any number. I didn't test this though, but I'm optimistic it might actually work. For a little background, see http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/transformsconf (search for "_key_").

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2014 09:48 PM

You could create one expression with the maximum expected number of fields, they're all marked as optional.

0 Karma
Reply

rizzo75
Path Finder
‎04-11-2014 01:31 PM

I actually did not try it, but it looks like it would work if the number of fields was static.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-03-2014 01:40 PM

Does it work? I still didn't get around to actually test my expression 😄

0 Karma
Reply

rizzo75
Path Finder
‎04-03-2014 11:26 AM

Ah. Thanks!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:41 AM

This should extract the column names automatically, due to the magic _KEY_x and _VAL_x names.

Reply

rizzo75
Path Finder
‎04-02-2014 09:35 AM

Thanks - that is actually what I am doing now.
I was hoping to automatically extract the field name and values as this is tedious and static.

0 Karma
Reply

aelliott
Motivator
‎04-02-2014 08:56 AM

Have you attempted to use db connect? https://apps.splunk.com/app/958/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...