I cannot find a \local folder under %SPLUNKHOME%\etc\apps\splunkappdbconnect\ after installing the DB_Connect add on. I have restarted the SQL services and Splunk service. We are running Windows Server 2012 R2. There is a \locale folder but no inputs.conf contained in the folder.
Following this documentation to configure SQL audit log collection into Splunk.
Hi, Out of the box there may only be a \default directory - I'll see what I can find. It looks like if you use a database connection name other than sqlserverdefaultconnection, then you will want to replace all instances of the string sqlserverdefaultconnection in %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf with the name you select instead. You may want to create a new \local directory to add your new inputs.conf in so it overrides anything in \default.
Also, make sure you are not confusing the
locale and the
local folder`. The former might have language specific stuff while the latter has your added configuration.
Also, if you created something that you would expect to be in the
local folder, it might actually be there - but in another app! As in, if you were working in another app context when you created the new configuration through the UI then peek there. You should be able to validate this by seeing what app context the configuration lives in through the UI (look at the data inputs listing and you may see a column for this info).
If all else fails,
btool http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati... will save you. By looking at all configuration you can use the debug flag to pinpoint what you're looking for.
Thank you both. Will check out these answers and will be back if I have any more questions. Appreciate the help.