What is your problem which you are trying to solve? I mean real issue not how you are trying to solve it?

Hi @isoutamo , 

I'm currently reviewing the Splunk configuration for the DB and i noticed that the logs are forwarded to Splunk every hour except 11am to 1pm. So I'm wondering if the events between 10AM and 1:59PM, will it be forwarded to Splunk based on this configuration.

And also if the timespan set in the correlation rule is10mins (e.g., _index_earliest=10m@m _index_latest=@m), will I miss any records? 

What kind of SPL query you have in your db_input?
What is it's current schedule?
How you have verified that event's haven't have come to splunk?
Are you sure that there are events in DB for that time and also that those events are there on that time when you are quering those with DBX in 1st time?

My SPL query is as follows:

index=mssqlDB sourcetype=mssql* _index_earliest=10m@m _index_latest=@m

| stats count as events, dc(database_name) as databases, dc(login_name) as users, avg(duration) as avg_duration by host

 

my current schedule is 0 0-10,14-23 * * *

 

The other 2 questions are very good questions, but I have not thought of how to verify them yet. 

 

 

You have _index_earliest and _index_latest, but what are your earliest and latest.

Actually this is your search from splunk index, but what is your DB Connect input SQL statement?

My SQL statement is as follows:

 

select * FROM sys.fn_get_audit_file ('i:\sql\mssqlaudit*.sqlaudit', default, default)

WHERE event_time > ?

In addition, if the fetch size is set at 100, will affect the number of records that it will be pipe to Splunk? Thank you. 

Thanx. Can you copy that part from db_inputs.conf? Also add relevant part from inputs.conf, so we see the schedule also.

And put those inside </> editor tag, so this platform didn’t change your paste and it’s easier to read.