Splunk Search

Oracle Audit Trail Field Extraction

JSapienza
Contributor

I am trying to extract the fields from an Oracle 10g Audit trail. Below is a sample of the raw log :

Tue Feb 15 10:14:44 2011
SESSIONID: "21288516" ENTRYID: "5158831" STATEMENT: "3585703" USERID: "TEST" ACTION: "6" RETURNCODE: "0" OBJ$CREATOR: "TEST" OBJ$NAME: "SR_JOB" OS$USERID: "auditwks" 

I have tried this in my transform.cfg :

REGEX = (?:(["']|(")).*?(?<!\\)(?(1)\1|(?(2)"))

FORMAT = $1::$3

But it seem to not be working and im not all that good with regex's. Any assistance is greatly appreciated.

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Looks to me like you just copied the REGEX from http://answers.splunk.com/questions/12157/oracle-audit-log-regex but that won't work because the format of the data there is completely different from the one you have here.

You might just be able to use:

DELIMS = " ", ":"

instead of a REGEX with this data format, but if you really wanted you could probably use:

REGEX = (\w+):\s+\"([^\"]*)\"
FORMAT = $1::$2

View solution in original post

0 Karma

bvamos
Explorer

You can extract the key/value pair with one extraction:
(?i)(?<_KEY_1>\S+):\s+"(?<_VAL_1>[^"]+)"
This will result these fields and values from you log:

SESSIONID=21288516
ENTRYID=5158831
STATEMENT=3585703
USERID=TEST
ACTION=6
RETURNCODE=0
OBJ_CREATOR=TEST
OBJ_NAME=SR_JOB
OS_USERID=auditwks

Note that Splunk is smart enough to replace the $ char in the field name.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Looks to me like you just copied the REGEX from http://answers.splunk.com/questions/12157/oracle-audit-log-regex but that won't work because the format of the data there is completely different from the one you have here.

You might just be able to use:

DELIMS = " ", ":"

instead of a REGEX with this data format, but if you really wanted you could probably use:

REGEX = (\w+):\s+\"([^\"]*)\"
FORMAT = $1::$2
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Search time is preferred most of the time, and definitely better in this case. Index time is both slower and less flexible.

0 Karma

JSapienza
Contributor

Couldn't get the extraction to work at index time for some reason. But, I resolved this issue with a few search time extractions.
Example:
(?im)USERID:\s\"(?P.+?)\"

0 Karma

JSapienza
Contributor

OK , I tried both the DELIMS and the modified REGEX and the fields still were not extracted. I am getting new events but the fields are not showing .. its the darnedest thing. Any ideas ?

0 Karma

JSapienza
Contributor

Yea I was just looking at that. I copied the wrong REGEX when I was reading that post. oops.. I edited my original post but I will try your suggestion. Thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...