Hi,
I use DBConnect 2 to pull McAfee endpoint security data from ePO into Splunk and that part works great. However, when I tried to pull additional audit data from the same database, the data won't show up in the index. The test of the SQL query in the DBConnect connection was successful and there's no error in the splunkd.log. Here's the stanza in the inputs.conf:
[mi_input://ta_mcafee_epo_5_input:audit]
disabled = 0
host = <SQL Host Name>
connection = <Connection Name>
index = mcafee
interval = * * * * *
max_rows = 10000
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = SELECT [AutoId],[UserId],[UserName],[Priority],[CmdName],[Message],[Success],[StartTime],[EndTime],[RemoteAddress],[TenantId] FROM [ePO_MTIB-EPO-APP].[dbo].[OrionAuditLogMT] WHERE [AutoID] >10000
sourcetype = mcafee:audit
source = dbx1
mode = tail
tail_follow_only = 1
tail_rising_column_name = AutoID
tail_rising_column_number = 2
ui_query_mode = advanced
input_timestamp_column_name = timestamp
input_timestamp_column_number = 1
tail_rising_column_checkpoint_value = 10000
What could be the problem?
Thanks!
Wei
Wei,
did u find any solution for your issue
Do you have your DB configured to use case-sensitive column names? If so, check for proper spelling of your "AuditID" column, as you used inconsistent spelling. I suspect that it's not the case since you said the query works fine by itself, but thought I'd point it out anyways.
Also, if you want to use a rising column, your SQL statement needs to include {{WHERE $rising_column$ > ?}}