I have a database that I need to search that is full of windows event log entries.
Specifically, I need to return only a portion of the event message ('Account Name: John' in the example below). Unfortunately, this must be done with SQL, and there is not a set character that the string would start or end at and the 'John' portion could be any name in active directory.
This seems a little more like a job for Regex, but I was hoping there might be an alternative that I am missing.
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: WIN-R9H529RIO4Y\John
Account Name: John
Additional Information:
Caller Computer Name: WIN-R9H529RIO4Y
Thoughts?
This is probably not the most efficient solution to the problem, but it does seem to work.
I've left it verbose on purpose so that it can be understood, but you could easily condense this down into a single statement if you wanted to:
declare #string varchar(max) =
'A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: WIN-R9H529RIO4Y\John
Account Name: John
Additional Information:
Caller Computer Name: WIN-R9H529RIO4Y';
declare #AccountStartIndex int =
len(#string) - charindex(reverse('Account Name: '), reverse(#string));
declare #AccountEndIndex int =
charindex(char(13) + char(10), #string, #AccountStartIndex);
select substring(
#string,
#AccountStartIndex + 2,
#AccountEndIndex - #AccountStartIndex - 1);
It works by finding the last occurrence of Account Name: in the string and then working out the position of the newline following it. With these two pieces of information we can substring John out.
Related
I'm trying to set up a database into an elastic pool using Bicep. So far I've created a sql server and a related elastic pool successfully. When I try to then create a database that refers to these parts I get unstuck with a helpful error from Azure
'The language expression property array index '1' is out of bounds.'
I'm really unclear on what settings I need to put in the SKU and other properties of the sqlServer configuration. So far I have the following:
resource sqlDatabase 'Microsoft.Sql/servers/databases#2022-05-01-preview' = {
parent: sqlServer
name: databaseName
location: location
sku: {
name: databaseSku
}
properties: {
elasticPoolId: elasticPoolId
collation: collation
maxSizeBytes: maxDatabaseSizeInBytes
catalogCollation: collation
zoneRedundant: zoneRedundant
readScale: 'Disabled'
requestedBackupStorageRedundancy: 'Zone'
}
}
I want to use the StandardElastic pool and I've tried passing that as the databaseSku and I want to use 50 DTU's as the limit. But there is capacity, family, size and tier and from powershell I get these sorts of options:
Sku Edition Family Capacity Unit Available
------------ ---------------- -------- ---------- ------ -----------
StandardPool Standard 50 DTU True
StandardPool Standard 100 DTU True
StandardPool Standard 200 DTU True
StandardPool Standard 300 DTU True
So how do I map my sql database onto my sql server on that pool using the 50 DTU StandardPool settings? Capacity appears to be a string as well on this template!
I found out that firstly you don't supply an sku to the sql database as it inherits the SKU information from the pool (which makes sense). Secondly that in my reference to the elastic pool above I was using the following syntax
resource elasticPool 'Microsoft.Sql/servers/elasticPools#2022-05-01-preview'
existing = {
name: 'mything-pool'
}
And had excluded the PARENT for the pool, so the correct reference to the pool would have been
resource elasticPool 'Microsoft.Sql/servers/elasticPools#2022-05-01-
preview' existing = {
name: 'mything-pool'
parent: **dbServer**
}
Which then fixed my obscure error
There is any way to test a seed with a relatioship coming from a external source?
I'm trying to test the seeds before creating them, to do this I'm creating in this moment a relationship test but with an external source.
I would like to do something like this in the seeds/schema.yml:
version: 2
seeds:
- name: products_market
description: ""
columns:
- name: id_source
description: "ID source"
- name: id_target
description: "id target"
tests:
- relationship:
to: source('dt', 'products')
field: id_product
In this case the field id_target would be checked if exists the field id_product from dt.products
But I get the error
'test_relationship' is undefined. This can happen when calling a macro that does not exist. Check for typos and/or install package dependencies with "dbt deps".
The sources.yml
version: 2
sources:
- name: dt
tables:
- name: products
description: General Products
I saw this info but not sure if I'm doing it well or maybe there is another way to do this
https://docs.getdbt.com/reference/seed-properties
https://docs.getdbt.com/reference/resource-properties/tests
EDIT:
I was missing an 's' in the test relationships statement in the schema.yml. Anyway it doesn't look i'm doing it properly, it says there is no test or do nothing when I do dbt seed... or dbt build
version: 2
seeds:
- name: products_market
description: ""
columns:
- name: id_source
description: "ID source"
- name: id_target
description: "id target"
tests:
- relationship**s**:
to: source('dt', 'products')
field: id_product
Thanks in advance
I have configured a database email, operators, and such on my SQL managed instance, to receive an email when a job fails.
In the email, we get something like this "The yyy_job failed on step 3".
But my question is... Is there a way to add the error message on the body of the email? I've been searching for this, but can't fine a suitable answer.
Thank you in advance
As far as I know there's no way to add further details to the email notifications when a job fails.
The only way is to implement your own notification process.
https://www.sqlshack.com/reporting-and-alerting-on-job-failure-in-sql-server/
We have a similar set up. We have a SQL Server Agent job that consists of several steps.
I configured it in such a way that we receive notification email when the job starts and another email when it finishes. There are two versions of the final email - one for success, another for failure.
At the end of the job there are two final steps called "Email OK" and "Email FAIL". Note how each of the steps have their "On Success" and "On Failure" configured.
This is how "Email OK" and "Email FAIL" steps look like in our case:
In my case I simply have different subjects of the emails, so it is easy to filter in the email client.
You can write any extra T-SQL code to execute a query against msdb.dbo.sysjobhistory and include the relevant result into the email.
I will not write a complete query here, but I imagine it would look similar to my sketch below. If you need help with that, ask another question.
This is how you can use msdb.dbo.sp_send_dbmail to include the result of some query into the email text:
EXEC msdb.dbo.sp_send_dbmail
#profile_name = 'ABC'
,#recipients = 'abc#example.com'
,#subject = 'Some subject line'
,#body = #VarBody
,#body_format = 'TEXT'
,#importance = 'NORMAL'
,#sensitivity = 'NORMAL'
,#query = N'
-- show latest entry in the log for your job
SELECT TOP(1)
message, ...
FROM
msdb.dbo.sysjobhistory
WHERE
job_id = ''your job ID''
ORDER BY
instance_id DESC;
'
,#execute_query_database = 'msdb'
;
Have a look at the documentation for a list of parameters for sp_send_dbmail. Example above inlines the query result. You can also attach it as a separate file.
Trying to config my first script
My goal is to automate an alert if my heater is in Error… there are many type error … The only state that is good is E-00: OK’
i would like to trigger the script only if the value is <> to state: "E-00: OK’
Is there a way to do that?
Script Yaml
alias: >-
Heater E10
sequence:
condition: state
entity_id: sensor.heater_error_string
state: "E-00: OK’
mode: single
icon: mdi:radiator
Yes, you can create server-side automation script which is triggered only when your text sensor entity value changes from OK to any other.
For example, you may try:
automation:
trigger:
- platform: state
entity_id: sensor.heater_error_string
from:
- "E-00: OK"
action:
- service: notify.mobile_phone_app
data:
message: heater is not ok
title: Heater Notification
mode: single
i am trying to objectify the security event log by using the ConvertFrom-String PowerShell cmdlet, but am not able to work it out.
First i am getting the event/s from my DC.
$events = Get-WinEvent -ComputerName $comp FilterHashtable #{logname='security';id=4727}
Next i define my template.
$tmpl = #'
{Event:A security-enabled global group was created.}
Subject:
Security ID: S-1-5*
{SubjectName:Account Name: andrew}
Account Domain: DOMAIN
Logon ID: 0x16D280EB
New Group:
Security ID: S-1-5*
{GroupName:Group Name: test1}
Group Domain: DOMAIN
Attributes:
SAM Account Name: test1
SID History: -
Additional Information:
Privileges: -
'#
Finally i try to turn it into objects.
($events).message | ConvertFrom-String -TemplateContent $tmpl
But my output is only
Event: A security-enabled global group was created.
Instead, I want to get something like;
Event: A security-enabled global group was created
SubjectName: andrew
GroupName: test1
And i would like this to be compatible to loop through many similar events to pull out the right bits??
I posted the same question in the Microsoft forums and got an immediate answer, and so for those interested, here it is.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/42f8e6a3-4304-4215-b521-d611e3216e1c/eventlog-convertfromstring?forum=winserverpowershell