1. create an identity in splunk with an account that has access to SQL Server - account will require server Control (USE master; GRANT CONTROL SERVER TO SplunkUSER;) 2. Create a new connection using identity created in step1 3. Create a data lab and specify your Connection created in step 2. In the data lab you specify your query SELECT * FROM sys.fn_get_audit_file ('\\\<servername>\<sharename>\*.sqlaudit',null,null);
... View more