SQL Injection Search that you can download from Splunkbase.
Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible SQL injection attacks have happened and other uses a statistical pattern of the URI query string field’s average length to find outliers. See below for an example screen output as I provide a sample log file in the logs directory for you to try out before you try it with your your own data. Simply enable the input in inputs.conf and restart Spunk.