View our Tech Talk: IT Edition, Splunk for Microsoft SQL Server, Part 2
Building on the previous IT Tech Talk about using the Splunk Add-on for Microsoft SQL Server to collect and add structure to your Microsoft SQL Server data, we'll look at other options for collecting and using Microsoft SQL Server data in the Splunk ecosystem in part two.
Tune in to hear about:
Capturing MSSQL traffic using Splunk Stream
Other Splunk portfolio options for collecting and analyzing Microsoft SQL Server data
Video Player is loading.
Current Time 0:00
/
Duration 0:00
Loaded: 0%
Stream Type LIVE
Remaining Time -0:00
1x
Chapters
descriptions off, selected
captions settings, opens captions settings dialog
captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Tech Talk discussions will remain open for 2 weeks after the live talk. You can continue the conversation within Splunk Answers under the tag Splunk Add-on for Microsoft SQL Server .
A: No, the stream forwarder is very lightweight and passively observes the packet data. If you use a network TAP to forward MSSQL traffic to it there will be zero impact.
Q: How does it will scale if you have 1000 of servers?
A: No problem with 1000 servers! Splunk can index and search against petabytes of data per day at scale. The agent can run on each SQL Server/App Server, or on a network monitoring host attached to a TAP without penalty.
I was looking to view Splunk for Microsoft SQL Server, Part 1 ahead of this but the video for Part 1 is not available. If you go to the blog and follow the links to Part 1 of the presentation then you get a message - "Content not available" next to the media player.
Could this be fixed? Part 2 is interesting but I'd also like to view part 1.
Sorry you are having that issue. Typically that error comes up when there are bandwidth issues. I just checked the link and it is playing for me in Chrome. Can you try a different browser or check later. Let me know if you are still having issues.
Hello, and thank you for posting this. I am just getting started with this app and couldn't figure out which stream to use for MSSQL data. That answer is crystal clear now, the TDS stream is the one to use.
I am having a problem with the communication between a UF and the Splunk Stream app running in Splunk Cloud. In order for the UF to register with the Stream app in Splunk Cloud, the traffic is routed through a cloud-based proxy service. I've created a custom forwarder group that matches every hostname so I can override the builtin defaultgroup, since I don't want any streams to be enabled by default on any UF. Then I apply one single custom stream to the custom forwarder group.
I am finding that the UF drops out of the custom group and back into the builtin defaultgroup shortly after the custom forwarder group is created. When I attach the UF to a Splunk Stream app running in the same data center (so the traffic is not routed through a proxy), it stays in the custom forwarder group.
This leads me to wonder how the traffic between a UF and the Stream app can be affected if the UF /appears/ to change its IP address, since the proxy provider is using a pool of source addresses. The documentation doesn't go into any detail about the communication between the UF and the Stream app, so it's difficult for me conclude how that might impact things. The UF is registering successfully so I know connectivity is there. But can you explain how a custom forwarder group in the Splunk stream app running in Splunk Cloud might be affected by a UF that /appears/ to change it's source address?
Are there any server settings we need to be aware of? We having some inconsistencies with "login" and "result_row_count." They are often missing. This demo is exactly what we are attempting to achieve: who did what, when, and the result of the query. Thank you!
