All Apps and Add-ons

EPO & Splunk DBConnect

AaronMoorcroft
Communicator

Hi Guys

I have seen a few posts dotted around relating to dragging in data from the EPO DB with an App called DBConnect, Ive managed to get that installed and connected to the DB however when trying to add a database input it gets a little confusing.

When trying to configure using the GUI -

I figure that I only need new evets so have picked the Tail input type
Selected the Database created earlier
Table name would be set to dbo.EPOAuditEventMsgs........ is that the correct table for AV Alerts ?
Raising column seems to be a sticking point with various diffrent posts around the forum on this, I believe that it should be set to EPOEvents.AutoID......... is this correct ?

Then as for Output, timestamp etc I assume they can be left blank ?

Any help on this woud be much appreciated, I have little to no knowledge on SQL and Splunk is very much a work in progress too.

Thanks in advance

0 Karma

AaronMoorcroft
Communicator

That looks like it could work however I have version 5.0.1 so this would not work for me accordingly to the version that it works on.

Thanks for the link though, I have managed to get it working now i had placed a space in the DB name which had stopped it from picking up the connection I guess.

The problem continues now as I have to drag the AV alerts from the tables, I was hoping that all the AV alerts would be in the one table but it doesnt look like it is, if anyone can provide any more help on this that would be great.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I am pleased to announce that we've just released an add-on that can help you with this: http://apps.splunk.com/app/1819/

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...