I have configured a Database Input in DB Connect to pull in data from an Oracle view. A sample string from one of the events follows: 2023-02-28 15:40:50.760, AUDIT_TYPE="Standard", OS_USERNAME="Administrator", TERMINAL="unknown", DBUSERNAME="RACOON", CLIENT_PROGRAM_NAME="SQL Developer", STATEMENT_ID="978", EVENT_TIMESTAMP="2023-02-28 18:40:50.76", ACTION_NAME="ALTER USER", OBJECT_NAME="SPLUNK", SQL_TEXT="ALTER USER "SPLUNK" DEFAULT ROLE "CONNECT","AUDIT_VIEWER"", SYSTEM_PRIVILEGE_USED="SYSDBA", CURRENT_USER="SYS", UNIFIED_AUDIT_POLICIES="ORA_SECURECONFIG" However, when I run this search the fields are not correctly identified: index=oracle_audit sourcetype=ID source=OracleAuditConnection Specifically, what should be fields like TERMINAL, CLIENT_PROGRAM_NAME, and OS_USERNAME (among many others) are not identified as fields. Additionally, the search is picking up values as fields, that should not be fields at all (often from the SQL_TEXT field). For example, "ACTIONS ALTER ON SPLUNK.BAT" is picked up as a field, rather than a value. I can improve the results a little by using the following: index=oracle_audit sourcetype=ID source=OracleAuditConnection | extract pairdelim="\"{,}" However, it still does not correctly identify all the fields. Nor does it work on the more complicated SQL_TEXT field, which may contain quotations and the equals signs at time. What can I do to successfully have all of my fields extracted? Is there any trick I can do, given that I am using DB Connect?
... View more