For future reference, we do exactly this and it's far more involved than one would have guessed.
Assume you have created a Server Audit Specification and a Audit and have those recording the auditing you need to file. Now, the problem is that it's in a file - it's not quite accessible the usual SQL way. The permissions in order to read those are quite extensive, and in our case we didn't want to allow the Splunk DB user such rights, so we did the following.
Create a table (we put ours in a newly created "Audit" DB) with an auto-incrementer key field and all the other fields you'll need. Review SQL DB auditing tables to figure out what you need to gather from the Audits. Not all columns are important in all environments.
Create a Stored Procedure that "inserts" the data you want into that table, like "INSERT INTO dbo.MyAuditTable (event_time, blah blah, blah) select from dbo.fn_get_audit_file("filename and path with wildcards"). We put in a "where event_time > ( select max(event_time) from dbo.ourAuditTable"
Create a job to run on some schedule (ours is hourly, it's good enough for us, your mileage may vary) that runs the above Stored Procedure to update the table regularly.
NOW you can use Splunk's DB connect to directly suck out the data you are schlepping into that table as if it's any other table. This is fully specified elsewhere and will have some minor dependencies on what exactly you did when you set up the above, but should be relatively easy - the hard part is making the SQL Audit tables available in the first place.
... View more