Hi,

My setup (all on one server - test environment:
Splunk Enterprise 7
Splunk Add-on for Microsoft SQL Server Splunk_TA_microsoft-sqlserver 1.3.0

Splunk DB Connect splunk_app_db_connect 3.1.1

I have been able to create Data input for one test table.

I have edited inputs.conf and sqlserver_dbx2.conf as below (it is some of the stanzas):

[mssql:audit]
description = Collect audit event data from audit log file
interval = 60
mode = rising
index_time_mode = current
query = SELECT * \
FROM sys.fn_get_audit_file ('C:\\SQLAudit\\*',default,default) \
WHERE event_time > ? \
ORDER BY event_time ASC
sourcetype = mssql:audit
rising_column_index = 1

[mssql:processes]
description = Collect information of processes that are running on an instance of SQL Server
interval = 300
mode = batch
index_time_mode = current
query = SELECT a.*, b.name,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM

sys.sysprocesses a JOIN sys.databases b ON a.dbid = b.database_id
sourcetype = mssql:processes

[mssql:databases]
description = Collect information about databases in a SQL Server instance
interval = 300
mode = batch
index_time_mode = current
query = SELECT *,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM
sys.databases
sourcetype = mssql:databases

But I am NOT able to get SPLUNK to capture this data. I can only see data from:
When I use index=_internal, FROM:
log files in C:\program Files\Splunk folder
e.g. - splunkd.log

When I use index=main, FROM:
source = Perfmon:Perfmon_Local

sourcetype = Perfmon:Perfmon_Local

Can someone help to capture this data ?

Thanks,
Mandar