Hello
On one of the my projects in the past I have faced a similar challenge, to
transfert Oracle trace data to Splunk,
so here is what I did.
-Unix shell /AWK programming to exctract SYS trace .I did small adaption in
order to make it work with all
the versions from 8i until 11g. It was not so easy task, I must admit.
-For all the other users, I put audit_trail=DB_EXTENDED, so it was simple
to extract data from sys.aud$
(BTW audit_trail=XML is probably a good option as well , traces are written
to the file system and not the database and then they can be extracted with
sql statements, not with awk or other, but I did not test it myself)
-For windows systems, the SYS trace must be extracted from the event
viewer, I have installed the LogParser
tool to put event Viewer's the data into text files and I did the rest with
some Java/Dos shell programming.
Dragutin
