We're polling an audit file from our SQL server, that includes a field called **additional information.** This field has a field inside it:field
that I need to be indexed. I may have done something wrong in setting up the input, because I kind of expected this to be an indexed field from the beginning.
This is the input:
[mi_input://mssql:audit]
connection = SQLServer
index = main
interval = 60
max_rows = 10000
mode = tail
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = SELECT * FROM sys.fn_get_audit_file ('M:\\\\AuditFiles\\\\*',default,default)
source = dbx2
sourcetype = mssql:audit
tail_follow_only = 1
tail_rising_column_name = event_time
tail_rising_column_number = 1
ui_query_mode = advanced
disabled = 0
tail_rising_column_checkpoint_value = 1449605957973`
and this is the result:
"2015-12-08 11:15:19" event_time=1449609223316, sequence_number=1, action_id="LGIS", succeeded=1, permission_bitmask=## NOT SUPPORTED TYPE ##, is_column_permission=0, session_id=65, server_principal_id=274, database_principal_id=0, target_server_principal_id=0, target_database_principal_id=0, object_id=0, class_type="LX", session_server_principal_name="xxxx\svcSQLxxxx", server_principal_name="xxxx\svcSQLxxxx", server_principal_sid=## NOT SUPPORTED TYPE ##, target_server_principal_sid=## NOT SUPPORTED TYPE ##, server_instance_name="xxxxxxxxxx", statement="-- network protocol: LPC
set quoted_identifier on
set arithabort off
set numeric_roundabort off
set ansi_warnings on
set ansi_padding on
set ansi_nulls on
set concat_null_yields_null on
set cursor_close_on_commit off
set implicit_transactions off
set language us_english
set dateformat mdy
set datefirst 7
set transaction isolation level read committed", additional_information="1 0x28000020 0x0001f438 0x00000000 8000 local machine0
↧