All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-On for Oracle Database

mikemartin3doj
New Member
‎04-17-2020 10:46 AM

We have installed the Splunk Add-on for Oracle Database on the Universal Forwarder that is running on our database server. The database is sending the audit log to .xml files. We have set up the inputs.conf to monitor the audit log directory. The events are being sent to the correct index, I can see them in a search. However, the events are still not being parsed correctly. Is there any other configurations I need to do on the universal forwarder to get the events parsed correctly? Is there anything we need to do to get this working? We cannot use DBConnect to grab the logs due to legacy database issues.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 11:09 AM

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 11:09 AM

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mikemartin3doj
New Member
‎04-17-2020 11:22 AM

Thank you. We don't control the Indexers and Search Heads, so I hope we can get our Splunk admins to install it.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...