I have a log entry that looks like the following:
04/18/2012 09:41:36 AM
LogName=Application
SourceName=MSSQLSERVER
EventCode=33205
EventType=0
Type=Information
ComputerName=Computer_Name
TaskCategory=None
OpCode=None
RecordNumber=193724
Keywords=Audit Success, Classic
Message=Audit event: event_time:2012-04-18 14:41:35.6506383
sequence_number:1
action_id:SL
succeeded:true
permission_bitmask:1
is_column_permission:true
session_id:261
server_principal_id:2
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:310160421
class_type:U
session_server_principal_name:user
server_principal_name:user
server_principal_sid:random_number
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:Computer_Name
database_name:dbName
schema_name:dbo
object_name:TableName
statement:select *
from TableName order by CreateDate desc
additional_information:
.
I am attempting to only extract the object_name field out of the Message from the event log entry(this log came from the Windows Application Event Log). Going through the field extraction UI I generated the following extraction:
(?i)object_name:(?P<SQL_AUDIT_OBJECT>.+\s)
I would like to be able to parse the object_name field from within the message up to the word 'statement:'. This would allow me to capture database objects that might have a space in them. The extraction created in the wizard (noted above) yields the remainder of the message including the statement and additional information in the extracted field. This causes a problem when it comes to grouping by the object_name extraction.
Any help is appreciated.
... View more