Henrique,
Good afternoon, I've read through your scenario and the default audit sink lookup policy is designed to pull the data from the database tables into context variables. I've attached the template Audit Sink Lookup policy.
The 2 key queries that are done are:
Pulls all Audit records for a period of time
SELECT id,nodeid,time,audit_level,name,message,signature,type from audit_main where time>=1545251464098 and time<1545253273578 and audit_level in (300, 400, 500, 700, 800, 900, 1000) and nodeid like '%' and type like '%' and lower(name) like lower('%') escape '#' and lower(user_name) like lower('%') and lower(user_id) like lower('%') and lower(message) like lower('%') and lower(entity_class) like lower('%') and entity_id like '%' and lower(operation_name) like lower('%') and lower(request_id) like lower('%') order by time desc limit 10000
When you select one that has an Associated Log entry
select * from audit_detail where audit_oid in ('aeb9073c-029d-42f2-ae61-228ba7758dad')
So the returned variables appear to be recordQuery.id, recordQuery.time,recordQuery.audit_level,recordQuery.name,recordQuery.message,recordQuery.signature,and recordQuery.type for the basic view in the Audit Viewer. As you click on each then it will pull back all the values in the table (shown below) and add "recordQuery." to the begin like recordQuery.ip_address. If there is an Associated log then it will pull values from the audit_detail table.
mysql> desc audit_main;
+--------------------+---------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------+---------------+------+-----+---------+-------+
| id | varchar(40) | NO | PRI | NULL | |
| nodeid | varchar(40) | NO | MUL | NULL | |
| time | bigint(20) | NO | MUL | NULL | |
| type | varchar(50) | YES | MUL | NULL | |
| audit_level | varchar(12) | NO | MUL | NULL | |
| name | varchar(255) | YES | MUL | NULL | |
| message | varchar(255) | NO | MUL | NULL | |
| ip_address | varchar(39) | YES | MUL | NULL | |
| user_name | varchar(255) | YES | MUL | NULL | |
| user_id | varchar(255) | YES | MUL | NULL | |
| provider_oid | varchar(40) | NO | | -1 | |
| signature | varchar(1024) | YES | | NULL | |
| properties | mediumtext | YES | | NULL | |
| entity_class | varchar(255) | YES | MUL | NULL | |
| entity_id | varchar(40) | YES | MUL | NULL | |
| status | int(11) | YES | | NULL | |
| request_id | varchar(40) | YES | MUL | NULL | |
| service_oid | varchar(40) | YES | | NULL | |
| operation_name | varchar(255) | YES | | NULL | |
| authenticated | tinyint(1) | YES | | 0 | |
| authenticationType | varchar(40) | YES | | NULL | |
| request_length | int(11) | YES | | NULL | |
| response_length | int(11) | YES | | NULL | |
| request_xml | mediumblob | YES | | NULL | |
| response_xml | mediumblob | YES | | NULL | |
| response_status | int(11) | YES | | NULL | |
| routing_latency | int(11) | YES | | NULL | |
| component_id | int(11) | YES | | NULL | |
| action | varchar(32) | YES | | NULL | |
+--------------------+---------------+------+-----+---------+-------+
Sincerely,
Stephen Hughes
Broadcom Support