I have two fields I want to modify, sql_bind and sql_text. The fields contain sql statement from oracle logs:
"sql_bind":" #1(8):25793401"
"sql_text":"delete from table01 where num01 = :b1""sql_bind":" #1(8):24834401 #2(5):63877"
"sql_text":"delete from table01 where num01 = :b1 and num02 = :b2 ""sql_bind":" #1(8):24834401 #2(5):64267 #3(7):dataxyz"
"sql_text":"delete from table01 where num01 = :b1 and num02 = :b2 and text01 = :b3"
I want to extract the variables from sql_bind and create new fields based on their values. The problem is that beforehand you can't know how many fiels you will have to extract.
After that I would like to reconstruct the sql_text into a whole statement replacing the variable name with the corresponding value taken from sql_bind.
I've tried with a mutate filter but since the splitting string is at the start of each value, I get one empty field in the array:
mutate { split => { "sql_bind" => " #" } }
Results in:
"sql_bind" => [ [0] "", [1] "1(8):24834401" [2] "2(5):63877" ]
Even after solving that, I have the problem of reinserting the values into sql_text.
Any help would be appreciated.