Lookups for the Splunk Add-on for Oracle Database¶
The Splunk Add-on for Oracle Database has the following lookups that map fields from Oracle Database systems to CIM-compliant values in the Splunk platform. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_oracle/lookups.
Note: In the Splunk Add-on for Oracle Database version 4.1.0, the file name for the audit action lookup has been changed from
oracle\_audit\_action.csvtooracle\_audit\_action\_410.csv. If you want to continue using the old lookup for dashboards, then you can use the respective lookup file name directly in your search queries. However, Splunk best practice is to use the new lookup for any use case.
| Filename | Description |
|---|---|
oracle_audit_action_410.csv |
Maps ACTION to NAME |
oracle_audit_type.csv |
Maps AUDITTYPE to audit |
oracle_fga_statement_type.csv |
Maps STMTTYPE to statementtype |
oracle_login_failure_reason.csv |
Maps RETURN_CODE to REASON |
oracle_ora_codes.csv |
Maps ORACODE to DESCRIPTION, CAUSE, ACTION |
oracle_returncode.csv |
Maps RETURNCODE to result |
oracle_system_privilege_map.csv |
Maps PRIVILEGE to PRIVUSED, PRIVGRANTED, privilege |