topic Re: MS SQL APP without data in All Apps and Add-ons

MS SQL APP without data

anthonychen — Sun, 08 Dec 2013 13:21:05 GMT

Hi all,
I am new here. I just using Splunk App for Microsoft SQL Server but without any data.
1 My splunk server version is 5.0.6
2 windows 2008 server sp2 + MS SQL 2008 server enterprise

3 I followed all step of installation document. I do see security eventcode 33205
When I using sourcetype="WinEventLog:Security" at splunk search bar , I got the following result.

12/08/2013 08:52:05 PM
LogName=Security
SourceName=MSSQLSERVER$AUDIT
EventCode=33205
EventType=0
Type=info
ComputerName=WIN-DZ8JDWE5XJV
User=Administrator
Sid=S-1-5-21-452095144-2453852085-683102615-500
SidType=1
host=WIN-DZ8JDWE5XJV sourcetype=WinEventLog:Security source=WinEventLog:Security

When I run the lookup generator on this app, I got no result of all 5 lookup.
Does anybody know what should I do or missing something? Please advise.
Thank you very much!

Anthony

Re: MS SQL APP without data

anthonychen — Sun, 08 Dec 2013 13:39:50 GMT

I forgot to say one thing. MS SQL APP version is 0.1.7 which supports splunk 5.

Re: MS SQL APP without data

nagadeepthi — Thu, 16 Jan 2014 20:20:26 GMT

Hi Anthony I am also a newpie for splunk and even i am facing same issue which you have mentioned above ,can you please help out to resolve this issue if you have found any solution for this

Can someone do the needful help for us to resolve this issue

Re: MS SQL APP without data

amiracle — Mon, 28 Sep 2020 17:14:13 GMT

I figured this one out, finally. Here's what I did:
Windows Server 2008 R2 and Windows 2012 R2 - Open Powershell as Administrator

PS C:\>Get-Execution Policy

If it's Restricted, then do the following:

PS C:\>Set-Execution Policy Bypass

Say Yes to the Execution Policy Change.

Then run Get-ExecutionPolicy and see that it changed to Bypass:

PS C:\> Get-ExecutionPolicy
Bypass

Once you have that done, now you'll need to make one more change.

Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITY\SYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. (Thanks Adrian: http://answers.splunk.com/answers/108974/problem-with-powershell-and-splunk_for_sqlserver-app)

Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)

Lastly, you can run the search:

index=mssql | stats count, values(sourcetype) by host

You should see the following source types show up:

MSSQL:Database:Health
MSSQL:Host:Memory
MSSQL:Instance:Service
MSSQL:Instance:User
Powershell:ScriptExecutionSummary

Re: MS SQL APP without data

hnakhle — Thu, 19 Jul 2018 12:19:31 GMT

Hello,

I am seeing the below; WinEventLog:Application
WinEventLog:Security