I'm attempting to consume MSSQL ERROR logs from 800+ systems with different log locations.
The current approach is to configure a common directory on the C drive c:\mssql logs\ with up to 10 symlink links within.
Each link corresponds to LOG folders of different MSSQL Instances.
C:\MSSQL LOGS\LOG3 ... etc
For example symlink LOG1 points to C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Log
My current inputs.conf is not working however one that points to the actual does.
I need 2 questions answered.
1. What is the correct method to consume symlinks
2. Is there a better approach to deploy & consume MSSQL ERROR logs from a large amount of systems.
[monitor://C:\MSSQL LOGS*] - Does not work
[monitor://C:\MSSQL LOGS\LOG4*] - Does not work
followSymlink = true
recursive = true
index = stage_idx
sourcetype = mssql:errorlog
disabled = 0
did you tried to use SQL Server TA ( https://splunkbase.splunk.com/app/2648/ )?