rjha-splunk
commented
2 years ago Yes it is possible, please post the sample with header(capture it in pcap).
Closed cjohn78 closed 1 year ago
rjha-splunk
commented
2 years ago Yes it is possible, please post the sample with header(capture it in pcap).
cjohn78
commented
2 years ago Will do it may take me awhile as these are not frequent ingested logs
cjohn78
commented
2 years ago Hello along with the previous request about the time issues please also assist in extraction. For example the cs2=MS is only being extracted instead of cs2= MS SQL SERVER. Sample with header included. ibm_guardium.txt
cjohn78
commented
2 years ago Any updates on this
bparmar-splunk
commented
1 year ago @cjohn78, Are you still facing this issue ?
bparmar-splunk
commented
1 year ago @cjohn78, We did not hear anything from you. We are closing this issue.
Please reach out in case of any further queries.
Thank you
Is there a way to extract the epoch time located in start=1666193583000 to _time. Currently SC4S is treating the field sc4s_recv_time as _time and I would like to change it. See example log below
CEF:0|IBM|Guardium|11.0|20021|Alert on Privileged Commands by Non-Authorized Users|5|rt=1666193760000 cs1=INFO cs1Label=Severity cs2=MS SQL SERVER cs2Label=Server Type cs3= cs3Label=Classification cat= app=TDS cs4=9.0 cs4Label=DB Protocol Version suser= sproc=MICROSOFT SQL SERVER MANAGEMENT STUDIO - QUERY act=SQL_LANG start=1666193583000 externalId=260673000000195656 duser=Default\special dst=0.0.0.0. dpt=1433 src= 0.0.0.0 spt=50111 proto=TCP dhost=SNSQLVNDD14L shost=LDNITDL-HY523D3 duid= cs5=1 cs6= cs7=HERMA msg=IF EXISTS\n\n(\n\n SELECT * FROM sys.objects \n\n#011WHERE Type \= 'P' AND name \= 'lsp_RebalanceIndices' AND SCHEMA_NAME(schema_id) \= 'REF'\n\n)\n\n#011DROP PROCEDURE [REF].[lsp_RebalanceIndices]