Splunk Enterprise Security

mssql events

punithjigali
Explorer

Hi team,

##### Monitor inputs

# ERROR Log for SQL Server
[monitor://C:\Program Files\Microsoft SQL Server\MSSQL*\MSSQL\Log\ERRORLOG*]
sourcetype = mssql:errorlog
disabled = 0
index=sqlserver


# Default SQL Server Agent Log for the SQL Server Agent Service of SQL Server
[monitor://C:\Program Files\Microsoft SQL Server\MSSQL*\MSSQL\Log\SQLAGENT.OUT]
sourcetype = mssql:agentlog
disabled = 0
index=sqlserver


##### Windows performance monitoring inputs

### Performance Monitoring for System
[perfmon://sqlserverhost:processor]
object = Processor
counters = % Processor Time
instances = _Total
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver



[perfmon://sqlserverhost:logicaldisk]
object = LogicalDisk
counters = Avg. Disk sec/Read; Avg. Disk sec/Write
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserverhost:physicaldisk]
object = PhysicalDisk
counters = Disk Reads/sec; Disk Writes/sec; Avg. Disk sec/Read; Avg. Disk sec/Write; Avg. Disk sec/Transfer; Disk Read Bytes/sec; Disk Write Bytes/sec;Avg. Disk Queue Length
instances = *
interval = 60
showZeroValue = 1
disabled = 1
index=sqlserver


[perfmon://sqlserverhost:network]
object = Network Interface
counters = Current Bandwidth; Bytes Total/sec
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserverhost:memory]
object = Memory
counters = % Committed Bytes In Use;Pages/sec;Available Mbytes;Pages Input/sec;Free System Page Table Entries
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserverhost:paging_file]
object = Paging File
counters = % Usage;% Usage Peak
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserverhost:process]
object = Process
counters = Private Bytes;% Processor Time
instances = sqlservr
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserverhost:system]
object = System
counters = Processor Queue Length;Context Switches/sec
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


### Performance Monitoring for SQL Server
[perfmon://sqlserver:buffer_manager]
object = (SQLServer|MSSQL[^:]*):Buffer Manager
counters = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver

[perfmon://sqlserver:memory_manager]
object = (SQLServer|MSSQL[^:]*):Memory Manager
counters = Total Server Memory(KB);Target Server Memory(KB);Granted Workspace Memory (KB);Maximum Workspace Memory (KB);Memory Grants Outstanding;Memory Grants Pending;Target Server Memory (KB)
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:databases]
object = (SQLServer|MSSQL[^:]*):Databases
counters = Active Transactions;Data File(s) Size (KB);Log File(s) Size (KB);Log File(s) Used Size (KB);Transactions/sec
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver

[perfmon://sqlserver:general_statistics]
object = (SQLServer|MSSQL[^:]*):General Statistics
counters = User Connections;Processes blocked;Logins/sec;Logout/sec
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:sql_statistics]
object = (SQLServer|MSSQL[^:]*):SQL Statistics
counters = Batch Requests/sec;SQL Compilations/sec;SQL re-Compilations/sec;SQL Attention Rate/sec;Auto-Param Attempts/sec;Failed Auto-Params/sec;Safe Auto-Params/sec;Unsafe Auto-Params/sec
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:access_methods]
object = (SQLServer|MSSQL[^:]*):Access Methods
counters = Forwarded Records/sec;Full Scans/sec;Index Searches/sec;Page Splits/sec;Workfiles Created/sec;Worktables Created/sec;Worktables From Cache Ratio;Table Lock Escalations/sec
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:latches]
object = (SQLServer|MSSQL[^:]*):Latches
counters = Latch Waits/sec;Avg Latch Wait Time (ms);Total Latch Wait Time (ms)
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:sql_errors]
object = (SQLServer|MSSQL[^:]*):SQL Errors
counters = Errors/sec
instances = DB Offline Errors;Info Errors;Kill Connection Errors;User Errors;_Total
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:locks]
object = (SQLServer|MSSQL[^:]*):Locks
counters = Number of Deadlocks/sec;Average Wait Time (ms)
instances = *
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver


[perfmon://sqlserver:transactions]
object = (SQLServer|MSSQL[^:]*):Transactions
counters = Transactions; Longest Transaction Running Time
interval = 60
showZeroValue = 1
disabled = 0
index=sqlserver

this is my inputs.conf of mssql add on,

I am not getting performence events such as locks, latches, transactions
any help regarding this I am using universal forwarder....

Labels (1)

youngsuh
Communicator

I am noticing the something with those three source type.  Did you resolve?

sqlserver:locks - Performance Monitor
sqlserver:latches - Performance Monitor
sqlserver:sql_errors - Performance Monitor

 

All the other Performance inputs are working correctly.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!