All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Reading MSSQL logs into splunk

rgtsplunk
Explorer
‎09-25-2014 08:27 AM

We are trying to read log files from Microsoft SQL servers. We have installed forwarders on the servers to send data to our indexers. The data is getting through to our indexers, but nothing is going into splunk. It appears that the mssql log files are binary files, so splunk will not index them. How can we get them into text and into splunk for searching?

Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎09-25-2014 08:32 AM

Which specific log files are you trying to read?

The MSSQL "transaction log" files are binary and are not splunkable. If you are after audit logs, then this needs to be configured within the MSSQL Management Console - at which point you choose the file location or Windows Event Log streams.

You can use the Splunk App for Microsoft SQL Server - it contains a specific TA for doing the SQL Server logs (both audit and functional aspects).

0 Karma
Reply

rgtsplunk
Explorer
‎09-25-2014 08:45 AM

I did download and install the Splunk App for Microsoft SQL Server, but did not see anything in the TA that would read the log files.

It also said that this app requires Splunk add-on for Microsoft Windows and Splunk add-on for Microsoft Powershell. We do not need the Microsoft Windows events, as they are being read by a different method already, and I do not know what Microsoft Powershell does.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎09-25-2014 08:47 AM

Thats because the system log files and the audit logs files (if you follow the instructions) are provided within the Windows Event Logs - the TA and app contain specific decodes for those logs so you can recognize them.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...