All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-On for Oracle Database

mikemartin3doj
New Member
‎04-17-2020 10:46 AM

We have installed the Splunk Add-on for Oracle Database on the Universal Forwarder that is running on our database server. The database is sending the audit log to .xml files. We have set up the inputs.conf to monitor the audit log directory. The events are being sent to the correct index, I can see them in a search. However, the events are still not being parsed correctly. Is there any other configurations I need to do on the universal forwarder to get the events parsed correctly? Is there anything we need to do to get this working? We cannot use DBConnect to grab the logs due to legacy database issues.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 11:09 AM

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-17-2020 11:09 AM

The add-on should also be installed on the indexers and search heads (with inputs disabled).

Putting the add-on on the UF defines the input, but then the indexer and search head don't know what to do with the data.
Installing the add-on on the indexer tells it how to parse timestamps and extract fields at index time.
Installing the add-on on the SH tells it how to perform search-time extractions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mikemartin3doj
New Member
‎04-17-2020 11:22 AM

Thank you. We don't control the Indexers and Search Heads, so I hope we can get our Splunk admins to install it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...