Splunk search for DB Connect queries

Copy
index=_audit sourcetype=audittrail action="db_connect_execute_query" | rex field=_raw "\sREST:\s\/db_connect\/query\/.+SELECT(?<Query>.+)].\w\S\w]" | eval Query=urldecode(Query) | table timestamp user Query
This search will provide a table that shows all DB Connect queries that have been executed as well as who executed them and at what time.
0 comments

Category:

General Splunk


Tags:

DBX DB Connect audit administration

Search Commands:

Sign in or Register to submit a comment