I have the Splunk Addon for SQL Server installed on some SQL servers and search heads. We have active SQL servers sending in data, however none of it is being tagged as database by Splunk ITSI / the TA. Because of this, none of the default built-in KPIs for database are working in ITSI (tag=database returns nothing).
Any ideas?
The short answer is, you should not use the out-of-box database service. A few reasons for this is, you can't modify any of the KPI's, it's default to run every minute, and it depends on tags to get its data which in-turn has higher performance issues. A better solution would be to clone that service and add new searches that don't rely on tags.
If you were 100% committed to using the out-of-box services, you could tag your events on the forwarder so the out-of-box KPI's will populate
The short answer is, you should not use the out-of-box database service. A few reasons for this is, you can't modify any of the KPI's, it's default to run every minute, and it depends on tags to get its data which in-turn has higher performance issues. A better solution would be to clone that service and add new searches that don't rely on tags.
If you were 100% committed to using the out-of-box services, you could tag your events on the forwarder so the out-of-box KPI's will populate