Splunk for Microsoft SQL Server, Part 2

Here is the Q&A from the live Talk. Enjoy.

Q: Will this degrade any sql performance?

A:  No, the stream forwarder is very lightweight and passively observes the packet data. If you use a network TAP to forward MSSQL traffic to it there will be zero impact.

Q: How does it will scale if you have 1000 of servers?

A: No problem with 1000 servers! Splunk can index and search against petabytes of data per day at scale. The agent can run on each SQL Server/App Server, or on a network monitoring host attached to a TAP without penalty.

We also want to make sure you have all these additional resources for your journey.

• Splunk App for Stream
• Splunk Essentials for Wire Data

• Database Support
• Release Notes
• Sourcetypes
• Installation steps

Tech Talk: MSSQL Part 1

Hi

I was looking to view Splunk for Microsoft SQL Server, Part 1 ahead of this but the video for Part 1 is not available. If you go to the blog and follow the links to Part 1 of the presentation then you get a message -  "Content not available"  next to the media player. 

Could this be fixed? Part 2 is interesting but I'd also like to view part 1.

https://community.splunk.com/t5/Splunk-Tech-Talks/Splunk-for-Microsoft-SQL-Server-Part-1/ba-p/517981

I can't post this under the Part 1 post as the comments are closed.

Thanks

Graham

Hi @daviesg

Sorry you are having that issue. Typically that error comes up when there are bandwidth issues. I just checked the link and it is playing for me in Chrome. Can you try a different browser or check later. Let me know if you are still having issues.

Thanks for checking - I can confirm that I can view it this morning (using safari).

Have a great weekend.

Graham

Hello, and thank you for posting this. I am just getting started with this app and couldn't figure out which stream to use for MSSQL data. That answer is crystal clear now, the TDS stream is the one to use.

I am having a problem with the communication between a UF and the Splunk Stream app running in Splunk Cloud. In order for the UF to register with the Stream app in Splunk Cloud, the traffic is routed through a cloud-based proxy service. I've created a custom forwarder group that matches every hostname so I can override the builtin defaultgroup, since I don't want any streams to be enabled by default on any UF. Then I apply one single custom stream to the custom forwarder group.

I am finding that the UF drops out of the custom group and back into the builtin defaultgroup shortly after the custom forwarder group is created. When I attach the UF to a Splunk Stream app running in the same data center (so the traffic is not routed through a proxy), it stays in the custom forwarder group.

This leads me to wonder how the traffic between a UF and the Stream app can be affected if the UF /appears/ to change its IP address, since the proxy provider is using a pool of source addresses. The documentation doesn't go into any detail about the communication between the UF and the Stream app, so it's difficult for me conclude how that might impact things. The UF is registering successfully so I know connectivity is there. But can you explain how a custom forwarder group in the Splunk stream app running in Splunk Cloud might be affected by a UF that /appears/ to change it's source address?

Are there any server settings we need to be aware of? We having some inconsistencies with "login" and "result_row_count." They are often missing. This demo is exactly what we are attempting to achieve: who did what, when, and the result of the query. Thank you!

@melissap 

@_smp_  @ejans100  I am getting answers for you from our speaker! Be back in touch soon!

@melissap Thanks, but no update needed for me, I just found out the issue I hit is a bug (STREAM-4657)

Thanks @melissap! I'm working with our Splunk account reps on this so if it's easier to pass their names for coordination let me know.