index=_internal | head 1
| eval _raw="{\"message\":\"Completed SQL Query\",\"context\":{\"query\":\"INSERT INTO \\\"Messages\\\" (\\\"parentId\\\", \\\"subject\\\", \\\"status\\\", \\\"entityId\\\", \\\"inbound\\\", \\\"spamScore\\\", \\\"spamReport\\\", \\\"type\\\", \\\"addresseeObjectTypeId\\\", \\\"addresseeObjectId\\\", \\\"addresseeId\\\", \\\"toAddress\\\", \\\"fromAddress\\\", \\\"senderObjectTypeId\\\", \\\"senderObjectId\\\", \\\"senderId\\\", \\\"objectKey\\\", \\\"uuid\\\", \\\"created\\\", \\\"createdBy\\\", \\\"updated\\\", \\\"updatedBy\\\") VALUES ('11111111', 'myname', 'received', '111', 1, '1.1111', 'Spam detection software, running on the system \\\"mailmail.net\\\", has\\\\nidentified this incoming email as possible spam. The original message\\\\nhas been attached to this so you can view it (if it isn''t spam) or label\\\\nsimilar future email. If you have any questions, see\\\\n@@CONTACT_ADDRESS@@ for details.\\\\n\\\\nContent preview: some preview of the email\\\\n\\\\nContent analysis details: (0.0 points, 5.0 required)\\\\n\\\\n pts rule name description\\\\n---- ---------------------- --------------------------------------------------\\\\n 0.0 FREEMAIL_FROM Sender email is freemail (nsendername[at]gmail.com)\\\\n 0.0 HTML_MESSAGE BODY: HTML included in message\\\\n 0.0 T_MIME_NO_TEXT No text body parts\\\\n\\\\n', 'Email', '1', '1', '658546', 'receivername@mail.com', 'sendername@gmail.com', '11', '111111', '123456', 'messages/1111111-111111-11111-111111-11111111', '11111111-11111-11111-11111-11111111', '2020-09-02T07:26:59+00:00', 1, '2020-09-02T07:26:59+00:00', 1) SELECT SCOPE_IDENTITY()\",\"bind\":[],\"timer\":{\"query\":{\"time\":\"0.02\",\"totalTime\":\"0.05\",\"count\":111}}},\"level\":111,\"level_name\":\"NAME\",\"channel\":\"query\",\"datetime\":{\"date\":\"2020-09-02 07:26:59.232241\",\"timezone_type\":3,\"timezone\":\"UTC\"},\"extra\":{\"url\":\"/something/orrather/bound\",\"ip\":\"1.1.1.1\",\"http_method\":\"POST\",\"server\":\"\",\"referrer\":null,\"instanceTag\":\"111111111\",\"requestId\":\"12jh1iu2hu1ikh2k1uh2ku1\"}}"
| spath output=query path=context.query
| rex field=query "INSERT INTO \"Messages\" \((?<columns>.*)\) VALUES \((?<values>.*)\) SELECT SCOPE"
| eval values=replace(values, "\'\'", "\'")
| rex max_match=0 field=values "(?<value>(\d+|'.*?[^\\\]')(|, ))"
| makemv delim="," columns
| eval columns=mvmap(columns,trim(columns))
| eval combined=mvzip(columns,value,"=")
| mvexpand combined
| fields combined
| rex field=combined "\"(?<name>[^\"]*)\"=(?<value>.*)"
| eval {name}=value
| fields - _raw, combined, name, value
| stats values(*) as *
| table * Couple of things to note: first rex assumes "table" is called Messages and that there is SELECT SCOPE after the values which it might not be the case for all your events double single quote in the middle of one of the fields in the word isn't was escaped with a backslash but not converted back works on the example given and uses mvexpand to create multiple events and stats to join them back but this should be done with an event identifier if using multiple events Might work as a starting point for you though
... View more