This Splunk query will show the DBX or DBConnect queries executed. I have limited information to work with so check back for updates.

Disclaimer – I’m using rex to replace HTML markup that is outputted and ingested by splunk. You may need to add to or remove this depending on your output (see query for details):

index=_audit sourcetype=audittrail action="db_connect_execute_query" |rex "user=(?<user>\S+),\s" | rex mode=sed "s/%20/ /g" |rex mode=sed "s/%5D/]/g" |rex mode=sed "s/%5B/[/g" |rex mode=sed "s/%3D/=/g" |rex mode=sed "s/%0A/ /g" |rex mode=sed "s/%2C/,/g" |rex mode=sed "s/%2F/\//g" |rex mode=sed "s/%22/\"/g" | rex "\sREST:\s\/db_connect\/query\/.+SELECT(?<DB_Query>.+)].\w\S\w]" | table timestamp user DB_Query