All Apps and Add-ons

Does anyone have a working inputs.conf or db_inputs.conf for MS SQL Server on Splunk DB Connect 3?

nhdpotter
Explorer

I've tried copying the Splunk DB Connect 2.x inputs file from Splunk Add-on for Microsoft SQL Server as both db_inputs.conf and inputs.conf in my Splunk DB Connect v3 /local/ directory but cannot get it to work. At a minimum, i receive a bunch of stanza errors when I reload Splunk (i copied the newest spec file as well, which isn't included int he app), and at most I can get inputs listed on the inputs tab within DB Connect, but cannot get the inputs to actually run or return results.

The identity and connection both test successfully, and I'm able to use the data browser in dbconnect to see my tables.

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

http://docs.splunk.com/Documentation/DBX/3.0.0/ReleaseNotes/Releasenotes the template files included in Splunk Add-on for McAfee, Splunk Add-on for Oracle Database, and Splunk Add-on for Microsoft SQL will not work if copied into DB Connect 3.

It should work if you make a new input and paste the SQL from the docs into that.

View solution in original post

0 Karma

k_harini
Communicator

Hi,

I tried the same settings.. I could see the data.. but it gets duplicated and the index keeps growing.. how to avoid duplicates.. please help.. its urgent.. can we use crcsalt flag here? will it work

0 Karma

gjanders
SplunkTrust
SplunkTrust

Perhaps you need to use rising column mode instead of batch mode in the input?

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

http://docs.splunk.com/Documentation/DBX/3.0.0/ReleaseNotes/Releasenotes the template files included in Splunk Add-on for McAfee, Splunk Add-on for Oracle Database, and Splunk Add-on for Microsoft SQL will not work if copied into DB Connect 3.

It should work if you make a new input and paste the SQL from the docs into that.

View solution in original post

0 Karma

nhdpotter
Explorer

I copied it in as db_inputs.conf and saw most of it worked. So I used the gui to find where it thought it was broke. I then used the settings from the TA MS SQL to create a new input via the gui of DB Connect3. Below is a comparison if it helps people modify their existing configurations

from Splunk_TA_microsoft-sqlserver\default\sqlserver_dbx2.conf
## mssql:alwayson
[mi_input://:alwayson:dm_hadr_auto_page_repair]
connection = SQLServer
index = main
interval = 300
max_rows = 10000
mode = batch
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = SELECT *,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM sys.dm_hadr_auto_page_repair
source = dbx2
sourcetype = mssql:alwayson:dm_hadr_auto_page_repair
ui_query_mode = advanced
disabled = 0

And as saved in splunk_app_db_connect/local/db_inputs.conf
[alwayson:dm_hadr_auto_page_repair]
connection = SQLSERVER
host = hostname/IP
index = main
interval = 300
max_rows = 10000
mode = batch
query = SELECT *,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM sys.dm_hadr_auto_page_repair
source = DBX
sourcetype = mssql:alwayson:dm_hadr_auto_page_repair
ui_query_mode = advanced

And finally, in splunk_app_db_connect/local/inputs.conf
## mssql:alwayson
[mssql:alwayson:dm_hadr_auto_page_repair]
mode = batch
output_timestamp_format = YYYY-MM-dd HH:mm:ss
ui_query_mode = advanced

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!