Splunk Tech Talks
Deep-dives for technical practitioners.

Splunk for Microsoft SQL Server, Part 2

melissap
Splunk Employee
Splunk Employee

View our Tech Talk: IT Edition, Splunk for Microsoft SQL Server, Part 2 

Building on the previous IT Tech Talk about using the Splunk Add-on for Microsoft SQL Server to collect and add structure to your Microsoft SQL Server data, we'll look at other options for collecting and using Microsoft SQL Server data in the Splunk ecosystem in part two.

Tune in to hear about:

  • Capturing MSSQL traffic using Splunk Stream
  • Other Splunk portfolio options for collecting and analyzing Microsoft SQL Server data

Tech Talk discussions will remain open for 2 weeks after the live talk. You can continue the conversation within Splunk Answers under the tag Splunk Add-on for Microsoft SQL Server .

melissap
Splunk Employee
Splunk Employee

Here is the Q&A from the live Talk. Enjoy.

Q: Will this degrade any sql performance?

A:  No, the stream forwarder is very lightweight and passively observes the packet data. If you use a network TAP to forward MSSQL traffic to it there will be zero impact.

Q: How does it will scale if you have 1000 of servers?

A: No problem with 1000 servers! Splunk can index and search against petabytes of data per day at scale. The agent can run on each SQL Server/App Server, or on a network monitoring host attached to a TAP without penalty.

 

melissap
Splunk Employee
Splunk Employee

We also want to make sure you have all these additional resources for your journey.

Splunkbase Apps
Docs

Tech Talk: MSSQL Part 1

daviesg
Engager

Hi

I was looking to view Splunk for Microsoft SQL Server, Part 1 ahead of this but the video for Part 1 is not available. If you go to the blog and follow the links to Part 1 of the presentation then you get a message -  "Content not available"  next to the media player. 

Could this be fixed? Part 2 is interesting but I'd also like to view part 1.

https://community.splunk.com/t5/Splunk-Tech-Talks/Splunk-for-Microsoft-SQL-Server-Part-1/ba-p/517981

I can't post this under the Part 1 post as the comments are closed.

Thanks

Graham

melissap
Splunk Employee
Splunk Employee

Hi @daviesg

Sorry you are having that issue. Typically that error comes up when there are bandwidth issues. I just checked the link and it is playing for me in Chrome. Can you try a different browser or check later. Let me know if you are still having issues.

daviesg
Engager

Thanks for checking - I can confirm that I can view it this morning (using safari).

Have a great weekend.

Graham

_smp_
Builder

Hello, and thank you for posting this. I am just getting started with this app and couldn't figure out which stream to use for MSSQL data. That answer is crystal clear now, the TDS stream is the one to use.

I am having a problem with the communication between a UF and the Splunk Stream app running in Splunk Cloud. In order for the UF to register with the Stream app in Splunk Cloud, the traffic is routed through a cloud-based proxy service. I've created a custom forwarder group that matches every hostname so I can override the builtin defaultgroup, since I don't want any streams to be enabled by default on any UF. Then I apply one single custom stream to the custom forwarder group.

I am finding that the UF drops out of the custom group and back into the builtin defaultgroup shortly after the custom forwarder group is created. When I attach the UF to a Splunk Stream app running in the same data center (so the traffic is not routed through a proxy), it stays in the custom forwarder group.

This leads me to wonder how the traffic between a UF and the Stream app can be affected if the UF /appears/ to change its IP address, since the proxy provider is using a pool of source addresses. The documentation doesn't go into any detail about the communication between the UF and the Stream app, so it's difficult for me conclude how that might impact things. The UF is registering successfully so I know connectivity is there. But can you explain how a custom forwarder group in the Splunk stream app running in Splunk Cloud might be affected by a UF that /appears/ to change it's source address?

ejans100
Observer

Are there any server settings we need to be aware of? We having some inconsistencies with "login" and "result_row_count." They are often missing. This demo is exactly what we are attempting to achieve: who did what, when, and the result of the query. Thank you!

@melissap 

melissap
Splunk Employee
Splunk Employee

@_smp_  @ejans100  I am getting answers for you from our speaker! Be back in touch soon!

_smp_
Builder

@melissap Thanks, but no update needed for me, I just found out the issue I hit is a bug (STREAM-4657)

ejans100
Observer

Thanks @melissap! I'm working with our Splunk account reps on this so if it's easier to pass their names for coordination let me know.