I have installed Splunk DB Connect 2 to monitor MS SQL Audit Logs. I am able to get audit logs, but I see same data is getting reindexed every 5 min.
Could someone please help fix this problem?
Inputs.conf
[rpcstart://default]
javahome = C:\Program Files\Java\jdk1.8.0_74
useSSL = 1
proc_pid = 668
[mi_input://Audit_Logs]
connection = splunk_sql
index = main
interval = 300
max_rows = 10000
mode = batch
output.timestamp = true
output.timestamp.column = EVENT_TIME
output_timestamp_format = yyyy-MM-dd HH:mm:ss.SSSSSS
query = select * From SQL_audit_log
source = dbx2
sourcetype = mssql:audit
ui_query_catalog = master
ui_query_mode = advanced
ui_query_schema = sys
1 Solution
