All Apps and Add-ons

Splunk App for Microsoft SQL-Server installation

gcusello
SplunkTrust
SplunkTrust

Hi at All.
I'm tryng to install Splunk App for SQL Server but I encountered some problems.
I Installed the App on Splunk Enterprise 6.1.1.
I installed on the DB Server (Windows Server 2008 Enterprise SP2 con DB SQL Server 2008/R2 Enterprise Edition) the requested components:
* .NET 4.5
* Windows update with PowerShell 3.0
* TA Windows
* SA-ModularInput-Powershell
* TA-SQLServer
I setted the correct permits to the user "Local Service" (this is described in Community)
I enabled PowerShell scripts (I found the solution to this problem in Community).
The Splunk App receives all the events except the ones from PowerShell Scripts (this means that the Forwarder is working).
Everyway "mssql" index remains empty.

I noted that TA-SQLServer ans SA-ModularInput-Powershell need many environment variables to work properly, but I don't understand how to set them and if there's an installation procedure: in documentation there's only to unzip file, to copy it in etc/apps and restart forwarder.

Launching example scripts by PowerShell command line they correctly run.
Instead, launching TA-SQLServer scripts by PowerShell command line, they show that they didn't find any components, probably because variables aren't setted.

Anyone encountered the same problem? how solved it.

Thank you in advance.
Bye.
Giuseppe

1 Solution

gcusello
SplunkTrust
SplunkTrust

Thanks to all: the problem was solved by changing the path of the script file input.conf MT-SQLServer. I had already tried to set permanently in the PowerShell variable $ SPLUNK_HOME but it did not work, but in this way is OK. Thank you very much! Hello. Joseph

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Thanks to all: the problem was solved by changing the path of the script file input.conf MT-SQLServer. I had already tried to set permanently in the PowerShell variable $ SPLUNK_HOME but it did not work, but in this way is OK. Thank you very much! Hello. Joseph

amiracle
Splunk Employee
Splunk Employee

I figured this one out, finally. Here's what I did:
Windows Server 2008 R2 and Windows 2012 R2 - Open Powershell as Administrator

PS C:\>Get-Execution Policy

If it's Restricted, then do the following:

PS C:\>Set-Execution Policy Bypass

Say Yes to the Execution Policy Change.

Then run Get-ExecutionPolicy and see that it changed to Bypass:

PS C:\> Get-ExecutionPolicy
Bypass

Once you have that done, now you'll need to make one more change.

Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITYSYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. (Thanks Adrian: http://answers.splunk.com/answers/108974/problem-with-powershell-and-splunk_for_sqlserver-app)

Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)

Lastly, you can run the search:

index=mssql | stats count, values(sourcetype) by host

You should see the following source types show up:

MSSQL:Database:Health
MSSQL:Host:Memory
MSSQL:Instance:Service
MSSQL:Instance:User
Powershell:ScriptExecutionSummary

gcusello
SplunkTrust
SplunkTrust

I already tried to configure execution policies on PowerShell, but the problem was in scripts paths.

0 Karma

SheridanCollege
Explorer

Check the inputs.conf and all the powershell scripts in the TA-SQLServer directory. Replace any references to $SplunkHome with the path to the SplunkUniversalForwarder you installed.

You're TA-SQLServer scripts didn't find any components because you didn't run Import-Module first to import the required .psm1 files

0 Karma

Spranta
Splunk Employee
Splunk Employee

Hi,

i'm just started working splunk have same troubles getting the powershells running. What du you mean with running the Import-Module first?
After clicking on Generate Lookups the csv Files are empty. I replaced the $SplunkHome with the correct path of the Universalforwarder Installation.

And some furhter Questions.....I generate the Lookups on the Search Head or? This is a Linux Host, how can a Linux Host handle Powershell Scripts? Do i have to do something else?
Do i have do deplay the addon /etc/apps/Splunk_for_SQLServer/appserver/addons/TA-SQLServer also to the universalforwarder running on the sql server?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Thanks to all: the problem was solved by changing the path of the script file input.conf MT-SQLServer.
I had already tried to set permanently in the PowerShell variable $ SPLUNK_HOME but it did not work, but in this way is OK.
Thank you very much!.
Hello.
Joseph

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...