We have Splunk Enterprise running in Windows 2012 server and I have configured Splunk DB Connect 2.x (latest) to connect to the MS SQL server 11.x database and the connections are valid.
I am following steps (config inputs) as per below and the query in the inputs.conf throws errors when I validate it in the DB Connect GUI, as part of step 2. (preview data). The error is:
External search command 'dbxquery' returned error code 1. First 1000 (of 3842) bytes of script output: "RuntimeError: Failed to run query: "SELECT * FROM (SELECT [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type], [EPOEvents].[ThreatEventID] as [signature_id], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severity_id], [EPOEventFilterDesc].[Name] as [event_description], [EPOEvents].[DetectedUTC] as [detected_timestamp], [EPOEvents].[TargetFileName] as [file_name], [EPOEvents].[AnalyzerDetectionMethod] as [detection_method], [EPOEvents].[ThreatActionTaken] as [vendor_action], CAST([EPOEvents].[ThreatHandled] as int) as [threat_handled], [EPOEvents].[TargetUserName] as [logon_user], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [dest_nt_domain], [EPOEvents].[TargetHostName] as [dest_dns], [EPOEvents].[TargetHostName] as [dest_nt_host], [EPOComputerProperties].[IPHostName] as [fqdn], [dest_ip] = ( convert(varchar(3),convert(ti
I tested the tables, actually all tables are from a schema called 'dbo'. When I searching for the mentioned tables individually, I can see input normally.
EPOEvents Input OK
Query: SELECT * FROM "mydatabasename"."dbo"."EPOComputerProperties"
EPOLeafNode Input OK
EPOProdPropsView_VIRUSCAN Input OK
EPOComputerProperties Input OK
EPOEventFilterDesc Input OK
I guess it must be something we could edit to make the db query working.