Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can Splunk index SQL Server Trace (*.trc) logs?

maverick
Splunk Employee
Splunk Employee
‎02-24-2010 02:32 PM

Can Splunk index SQL Server Trace (*.trc) logs?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

maverick
Splunk Employee
Splunk Employee
‎02-24-2010 02:53 PM

Since SQL Server Trace logs (*.trc files) are not plain text, it will not be readable once it's indexed within Splunk.

However, if you want to develop an input solution themselves, there are some .NET classes for reading them here:

http://msdn.microsoft.com/en-us/library/microsoft.sqlserver.management.trace.tracefile_members.aspx

From what I can tell, they’re pretty straightforward, and even has an event that gets called when the file is added, which means you could write your own SQLTraceFile log tailing class.

Now if you wrote a script that called this class and scheduled it via Splunk Scripted Inputs, your script would have to account for and handle the rolled over files, or there might be issues over-indexing or duplicate events, etc.

However, if you don’t need the info in real time, then it’s probably easier to write a script that waits for a file to roll, moves it away, THEN processes it into text with SQLTraceFile API call (above), and finally let Splunk index that resulting text version of the events. Alternatively, you could write a preprocessor that works on a whole file and call it by setting the unarchive_cmd option in props.conf, though you'll still have to wait for a complete file to roll to use this option.

View solution in original post

Reply
Solved! Jump to solution

erik_extrahop
Explorer
‎09-19-2012 11:52 AM

ExtraHop now has a Splunkbase app for database monitoring. Databases supported are Oracle, Microsoft SQL, Informix, DB2, Sybase and Sybase IQ, Postgres, and MySql.
http://splunk-base.splunk.com/apps/53757/extrahop.
Disclaimer: the Splunk App does require the ExtraHop APM platform to be installed which acts as non-invasive forwarder for Splunk.

0 Karma
Reply
Solved! Jump to solution
Solution

maverick
Splunk Employee
Splunk Employee
‎02-24-2010 02:53 PM

Since SQL Server Trace logs (*.trc files) are not plain text, it will not be readable once it's indexed within Splunk.

However, if you want to develop an input solution themselves, there are some .NET classes for reading them here:

http://msdn.microsoft.com/en-us/library/microsoft.sqlserver.management.trace.tracefile_members.aspx

From what I can tell, they’re pretty straightforward, and even has an event that gets called when the file is added, which means you could write your own SQLTraceFile log tailing class.

Now if you wrote a script that called this class and scheduled it via Splunk Scripted Inputs, your script would have to account for and handle the rolled over files, or there might be issues over-indexing or duplicate events, etc.

However, if you don’t need the info in real time, then it’s probably easier to write a script that waits for a file to roll, moves it away, THEN processes it into text with SQLTraceFile API call (above), and finally let Splunk index that resulting text version of the events. Alternatively, you could write a preprocessor that works on a whole file and call it by setting the unarchive_cmd option in props.conf, though you'll still have to wait for a complete file to roll to use this option.

Reply
Solved! Jump to solution

maverick
Splunk Employee
Splunk Employee
‎04-28-2010 04:52 PM

If anyone had actually tried this and got it to work, please post any helpful hints or code logic, etc. It would be greatly appreciated.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...