All Apps and Add-ons

Splunk Add-On for Oracle Database

mikemartin3doj
New Member

We have installed the Splunk Add-on for Oracle Database on the Universal Forwarder that is running on our database server. The database is sending the audit log to .xml files. We have set up the inputs.conf to monitor the audit log directory. The events are being sent to the correct index, I can see them in a search. However, the events are still not being parsed correctly. Is there any other configurations I need to do on the universal forwarder to get the events parsed correctly? Is there anything we need to do to get this working? We cannot use DBConnect to grab the logs due to legacy database issues.

Thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mikemartin3doj
New Member

Thank you. We don't control the Indexers and Search Heads, so I hope we can get our Splunk admins to install it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...