Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extracting fields & values from SQL logs

rizzo75
Path Finder
‎04-02-2014 08:31 AM

I am trying to extract field names and values from SQL logs.
IE - “… INSERT INTO table (COL1, COL2) VALUES ('VAL1', 'VAL2’)”

COL1=VAL1
COL2=VAL2

Any thoughts on how to do this?

Thanks,
Joe

Tags (2)
Reply

rizzo75
Path Finder
‎04-11-2014 01:32 PM

Here is an example of what I went with. Not that I am proud of it. 🙂

| history events=true | head 1 | fields - * _* | eval sql="INSERT INTO `table1` (`field1`, `field2`, `field3`, `field4`) VALUES (0, 1, NULL, 'sometext')"
| rex field=sql "INSERT INTO\s+.(?<tablename>\w+).\s+(?<FIELDS>\(.*\))\s+VALUES\s+(?<VALUES>\(.*\))"
| rex mode=sed field=FIELDS "s/`//g"
| rex mode=sed field=VALUES "s/'//g"
| rex max_match=0 field=FIELDS "\(?(?<MVFIELD>[\s\S]+?)[,)]\s?"
| rex max_match=0 field=VALUES "\(?(?<MVVALUE>[\s\S]+?)[,)]\s?"
| eval _raw=mvzip(MVFIELD,MVVALUE,"=") | extract
| fields - _raw FIELDS VALUES MVFIELD MVVALUE
| table *
Reply

geraldcontreras
Path Finder
‎11-18-2020 10:44 PM

Thank you thank you thank you!

This was exactly what i was after, then i used mvexpand and mvindex with split to split the values to the field

0 Karma
Reply

rizzo75
Path Finder
‎04-02-2014 09:34 AM

I wish I could. I do not have access to the DB.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:33 AM

You might get away with a transforms.conf extraction like this:

[your_stanza]
REGEX = (?i)insert\s*into\s*(?<table>\S+)\s*\((?<_KEY_1>\w+)(?:,\s*(?<_KEY_2>\w+))?(?:,\s*(?<_KEY_3>\w+))?(?:,\s*(?<_KEY_4>\w+))?\)\s*values\s*\('(?<_VAL_1>[^']+)'(?:,\s*'(?<_VAL_2>[^']+)')?(?:,\s*'(?<_VAL_4>[^']+)')?(?:,\s*'(?<_VAL_4>[^']+)')?\)

That's for up to four columns, but you probably see how it's expandable to any number. I didn't test this though, but I'm optimistic it might actually work. For a little background, see http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/transformsconf (search for "_key_").

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2014 09:48 PM

You could create one expression with the maximum expected number of fields, they're all marked as optional.

0 Karma
Reply

rizzo75
Path Finder
‎04-11-2014 01:31 PM

I actually did not try it, but it looks like it would work if the number of fields was static.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-03-2014 01:40 PM

Does it work? I still didn't get around to actually test my expression 😄

0 Karma
Reply

rizzo75
Path Finder
‎04-03-2014 11:26 AM

Ah. Thanks!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:41 AM

This should extract the column names automatically, due to the magic _KEY_x and _VAL_x names.

Reply

rizzo75
Path Finder
‎04-02-2014 09:35 AM

Thanks - that is actually what I am doing now.
I was hoping to automatically extract the field name and values as this is tedious and static.

0 Karma
Reply

aelliott
Motivator
‎04-02-2014 08:56 AM

Have you attempted to use db connect? https://apps.splunk.com/app/958/

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top