SQL Injection search is an application template for you to use to search for possible SQL injection in your events. It uses two macros. One is called sqlinjection_pattern(sourcetype, uri query field) which looks for patterns in your URI Query field to see if someone has injected them with SQL statements.
Because it is difficult to point out every SQL pattern that may be used, another method suggested by Monzy Merza is to use standard deviations that are 2.5 times greater than the average length of your URI Query Field. The sqlinjection_stats(sourcetype, uri query field) macro is used to detect this. Simply copy macros.conf from default to the app's local directory and change the macro's where clause to match what may be typical of your own web site to find outliers.
A combination of both these macros will help you find possible SQL Injection
attempts. Read the included README.txt for usage.