All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-On for Oracle Database

mikemartin3doj
New Member
‎04-17-2020 10:46 AM

We have installed the Splunk Add-on for Oracle Database on the Universal Forwarder that is running on our database server. The database is sending the audit log to .xml files. We have set up the inputs.conf to monitor the audit log directory. The events are being sent to the correct index, I can see them in a search. However, the events are still not being parsed correctly. Is there any other configurations I need to do on the universal forwarder to get the events parsed correctly? Is there anything we need to do to get this working? We cannot use DBConnect to grab the logs due to legacy database issues.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 11:09 AM

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 11:09 AM

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mikemartin3doj
New Member
‎04-17-2020 11:22 AM

Thank you. We don't control the Indexers and Search Heads, so I hope we can get our Splunk admins to install it.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...