Hi, I'm having an issues parsing the SQL_TEXT field from oracle:audit:unified. When the field comes through it contains spurious text that isn't returned by the query using DBConnect and the orac...
See more...
Hi, I'm having an issues parsing the SQL_TEXT field from oracle:audit:unified. When the field comes through it contains spurious text that isn't returned by the query using DBConnect and the oracle:audit:unified template. For example: DBConnect grant create tablespace to test_splunk, Splunk grant create tablespace to test_splunk,4,,1,,,,,, The RAW event seems to come through as a CSV by virtue of the Oracle TA but we have a regex for the event extraction that looks like the below which seems to work in regex101: SQL_TEXT="(?<SQL_TEXT>(?:.|\n)*?)(?=(?:",\s\S+=|"$)) I know the data type is CLOD so I have tried to converting it using the substring command but I get the same result, any idea what is going on here?