splunk app/work around to track the executed SQL s...

summer · ‎10-06-2020

I want to track the executed SQL server queries, however I don't want to enable trace log because it would impact SQL server I/O and consume a lot of local space. So, I don't have any sql server trace logs (*.trc files) stored in the server/DB. Is there any work around or splunk app can track the executed SQL server queries?

dmacintosh_splu · ‎10-06-2020

If you are not able to ingest data that already is produced that contains the query information, you could explore Splunk Stream to pull out the SQL query from the wire data. This could be quite the change so comparing it against enabling the trace log might be a good exercise. If the traffic is encrypted, the cert will be required to decrypt the traffic but you would be able to see the query, transaction times, etc.

The following Splunk Lantern use case is very applicable to your question as well using Splunk Stream. https://lantern.splunk.com/hc/en-us/articles/360053617474-Analyzing-wire-data-from-databases

summer · ‎10-06-2020

Thanks for the quick response. it seems it requires some changes on sql server network setting?

splunk app/work around to track the executed SQL server queries

monitor

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation