All Apps and Add-ons

No data in app.


Hi all,

I've installed everything correctly and I have quite a lot of data being logged in splunk now (nearly 20GB per day). I can see when I search for one of the SQL servers in splunk as "host=servername" that it shows source = WinEventLog://Security and sourcetype = WinEventLog:Security so it's definitely logging data and indexing it in splunk.

However, the Microsoft SQL Server App itself isn't showing any data.
When I run all 5 lookup generators, they all show no results, despite me seeing data indexed in splunk for the SQl server.

How can I get the app to find the data?

0 Karma
1 Solution


Closing this because nobody can seem to solve it, so I'm just going to stop using the app.


View solution in original post

0 Karma

Splunk Employee
Splunk Employee

I figured this one out, finally. Here's what I did:
Windows Server 2008 R2 and Windows 2012 R2 - Open Powershell as Administrator

PS C:\>Get-Execution Policy

If it's Restricted, then do the following:

PS C:\>Set-Execution Policy Bypass

Say Yes to the Execution Policy Change.

Then run Get-ExecutionPolicy and see that it changed to Bypass:

PS C:\> Get-ExecutionPolicy

Once you have that done, now you'll need to make one more change.

Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITY\SYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. (Thanks Adrian:

Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)

Lastly, you can run the search:

index=mssql | stats count, values(sourcetype) by host 

You should see the following source types show up:

0 Karma

Path Finder

The SQL app instructions don't include instructions for the other apps that you need - see for someone who is having the same problem. I'm still working through this myself, but at the very least you will need to ensure that powershell scripts can run.

On your SQL server:

  • Start a Powershell window as an administrator
  • Run "Get-ExecutionPolicy". You can see what the answer means at
  • Run "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned (if that's suitable for you - I'm still testing)
  • Run "Get-ExecutionPolicy" again to confirm the change.
  • Try running a script manually to see what happens (any script will do)
0 Karma

Splunk Employee
Splunk Employee

Lazarix -

If you have enterprise support, can you please open up a ticket and let me know the number in a private message?


0 Karma


What index did you store the data in? if you did not store it in the "main" index, you may have to go and change all the saved searches etc to use the specified index as it will default to main i believe in the searches.

0 Karma


Closing this because nobody can seem to solve it, so I'm just going to stop using the app.


0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...