All Apps and Add-ons

Ingesting Trace Logs into Splunk

Contributor

I am looking to ingest SQL Trace Logs into Splunk.

Can anyone direct me on how this could be achieved.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This should be no problem, but you have to create/use your trace in a particular way.

When you create the trace, choose the option to "save to table" which will save the trace into a database table. I don't remember if you can save a trace to a different DB hosted on the server you are tracing, but I think you can. This is really a "SQL Trace Configuration" issue, so read through Microsoft's docs if you have difficulties.

Now, once you have the trace data saved in a table it's easy to get that from there into Splunk. First, on a Heavy Forwarder or maybe a Search Head, install the Splunk DB Connect app. Once installed, create an identity (login) that will have access to the table you are saving your trace into, create a database connection to tell Splunk where/how to get to the DB server, then create a database input to finally retrieve the data into Splunk.

Happy Splunking!

View solution in original post

SplunkTrust
SplunkTrust

This should be no problem, but you have to create/use your trace in a particular way.

When you create the trace, choose the option to "save to table" which will save the trace into a database table. I don't remember if you can save a trace to a different DB hosted on the server you are tracing, but I think you can. This is really a "SQL Trace Configuration" issue, so read through Microsoft's docs if you have difficulties.

Now, once you have the trace data saved in a table it's easy to get that from there into Splunk. First, on a Heavy Forwarder or maybe a Search Head, install the Splunk DB Connect app. Once installed, create an identity (login) that will have access to the table you are saving your trace into, create a database connection to tell Splunk where/how to get to the DB server, then create a database input to finally retrieve the data into Splunk.

Happy Splunking!

View solution in original post

Contributor

Thank you so much for such a detailed description. I am already in the process of testing that. Waiting for the DB team to provide and implement necessary access.

Will keep you updated for any issues.

Thanks again @rich7177

0 Karma

SplunkTrust
SplunkTrust

You are very welcome.

For what it's worth, I remember SQL trace data being very chatty. Enough that you will want to keep an eye on your licensing as you roll this out. It would be helpful to keep the trace logs as small as you can by only making traces for the databases, users and activities you need.

0 Karma

SplunkTrust
SplunkTrust

If this has resolved (or was instrumental in resolving) your question, could you please "Accept" this answer? It will help others who search for find this information later know that it is indeed a reasonably good answer.

And if you have further problems, you probably would do best to create a new Question specifically for it to keep this question and the new one both single-purpose.

Thanks,
Rich

0 Karma

Contributor

Hello @rich7177 I will mark this response as an "answer" even-though the server team is yet to lead this to a success. Thank you so much for all the inputs you had provided.

Will reach out to you if i observe any discrepancies. Thank you again for the tip 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!