Archive

EPO & Splunk DBConnect

Communicator

Hi Guys

I have seen a few posts dotted around relating to dragging in data from the EPO DB with an App called DBConnect, Ive managed to get that installed and connected to the DB however when trying to add a database input it gets a little confusing.

When trying to configure using the GUI -

I figure that I only need new evets so have picked the Tail input type
Selected the Database created earlier
Table name would be set to dbo.EPOAuditEventMsgs........ is that the correct table for AV Alerts ?
Raising column seems to be a sticking point with various diffrent posts around the forum on this, I believe that it should be set to EPOEvents.AutoID......... is this correct ?

Then as for Output, timestamp etc I assume they can be left blank ?

Any help on this woud be much appreciated, I have little to no knowledge on SQL and Splunk is very much a work in progress too.

Thanks in advance

0 Karma

Communicator

That looks like it could work however I have version 5.0.1 so this would not work for me accordingly to the version that it works on.

Thanks for the link though, I have managed to get it working now i had placed a space in the DB name which had stopped it from picking up the connection I guess.

The problem continues now as I have to drag the AV alerts from the tables, I was hoping that all the AV alerts would be in the one table but it doesnt look like it is, if anyone can provide any more help on this that would be great.

0 Karma

Splunk Employee
Splunk Employee

I am pleased to announce that we've just released an add-on that can help you with this: http://apps.splunk.com/app/1819/