All Apps and Add-ons

Splunk DB Connect 2: Why are MSSQL DB Audit Logs getting reindexed every 5 minutes?

satishsdange
Builder

I have installed Splunk DB Connect 2 to monitor MS SQL Audit Logs. I am able to get audit logs, but I see same data is getting reindexed every 5 min.
Could someone please help fix this problem?

Inputs.conf

[rpcstart://default]
javahome = C:\Program Files\Java\jdk1.8.0_74
useSSL = 1
proc_pid = 668

[mi_input://Audit_Logs]
connection = splunk_sql
index = main
interval = 300
max_rows = 10000
mode = batch
output.timestamp = true
output.timestamp.column = EVENT_TIME
output_timestamp_format = yyyy-MM-dd HH:mm:ss.SSSSSS
query = select * From SQL_audit_log
source = dbx2
sourcetype = mssql:audit
ui_query_catalog = master
ui_query_mode = advanced
ui_query_schema = sys

alt text

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

This is because of you use "mode = batch", DB Connect will dump the whole table every time mi_input runs.
You should use "mode = tail" aka "Follow Tail" and assign a unique rising column

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Createandmanagedatabaseinputs#Set_parameter...

View solution in original post

0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

This is because of you use "mode = batch", DB Connect will dump the whole table every time mi_input runs.
You should use "mode = tail" aka "Follow Tail" and assign a unique rising column

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Createandmanagedatabaseinputs#Set_parameter...

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...