All Apps and Add-ons

Why isn't my Splunk setup capturing mssql performance and audit data?

mandar_alawani
New Member

Hi,

My setup (all on one server - test environment:
Splunk Enterprise 7
Splunk Add-on for Microsoft SQL Server Splunk_TA_microsoft-sqlserver 1.3.0

Splunk DB Connect splunk_app_db_connect 3.1.1

I have been able to create Data input for one test table.

I have edited inputs.conf and sqlserver_dbx2.conf as below (it is some of the stanzas):

[mssql:audit]
description = Collect audit event data from audit log file
interval = 60
mode = rising
index_time_mode = current
query = SELECT * \
FROM sys.fn_get_audit_file ('C:\\SQLAudit\\*',default,default) \
WHERE event_time > ? \
ORDER BY event_time ASC
sourcetype = mssql:audit
rising_column_index = 1

[mssql:processes]
description = Collect information of processes that are running on an instance of SQL Server
interval = 300
mode = batch
index_time_mode = current
query = SELECT a.*, b.name,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM

sys.sysprocesses a JOIN sys.databases b ON a.dbid = b.database_id
sourcetype = mssql:processes

[mssql:databases]
description = Collect information about databases in a SQL Server instance
interval = 300
mode = batch
index_time_mode = current
query = SELECT *,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM
sys.databases
sourcetype = mssql:databases

But I am NOT able to get SPLUNK to capture this data. I can only see data from:
When I use index=_internal, FROM:
log files in C:\program Files\Splunk folder
e.g. - splunkd.log

When I use index=main, FROM:
source = Perfmon:Perfmon_Local

sourcetype = Perfmon:Perfmon_Local

Can someone help to capture this data ?

Thanks,
Mandar

0 Karma
1 Solution

jplumsdaine22
Influencer

Did you follow the instructions for dbconnect v3? http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv3inputs

sqlserver_dbx2.conf is for dbconnect version 2

View solution in original post

jplumsdaine22
Influencer

Did you follow the instructions for dbconnect v3? http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv3inputs

sqlserver_dbx2.conf is for dbconnect version 2

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...