index=_audit sourcetype=audittrail action="db_connect_execute_query" | rex field=_raw "\sREST:\s\/db_connect\/query\/.+SELECT(?<Query>.+)].\w\S\w]" | eval Query=urldecode(Query) | table timestamp user Query
index=_audit sourcetype=audittrail action="db_connect_execute_query" | rex field=_raw "\sREST:\s\/db_connect\/query\/.+SELECT(?<Query>.+)].\w\S\w]" | eval Query=urldecode(Query) | table timestamp user Query