Hi, thank you for your feedback.  The add-on is installed on indexer, searchheads and universal forwarder. However fields like below are not beeing mapped   00/00/0000 00:00:00 PM LogName=Application EventCode=33205 EventType=0 ComputerName= SourceName=MSSQLSERVER Type=Information RecordNumber=123456 Keywords=Audit Failure, Classic TaskCategory=Logon OpCode=None Message=Audit event: audit_schema_version:1 event_time:2023-00-00 00:00:00.000000 sequence_number:1 action_id:LGIF succeeded:false is_column_permission:false session_id:0 server_principal_id:0 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX permission_bitmask:00000000000000000000000000000000 sequence_group_id: session_server_principal_name: server_principal_name: server_principal_sid: database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:XXXXXXXXXX database_name: schema_name: object_name: statement: additional_information: user_defined_information:   Should all fields not be extracted, as the add-on has these field extractions. Or does it only work with dbconnect? Hopefully somebody can support and advise before I start working on a customized solution which I am trying to avoid.   ... View more

What was your conclusion? Which method did you use? ... View more

Hi Andreas, thank you for the quick response. Does this mean you did the mapping and field extraction all by yourself for?  Best, O. ... View more

@gcusello wrote: Hi @splunkcol, Yes, you can configure an intermediate forwarder ("Heavy") to work as a concentrator to send logs to the Indexers; this is the usual architecture when you have Splunk Cloud but it can be used also for Splunk on Premise. At first you need at least two Heavy Forwarders (not one), to avoid Single Points of Failure in your architecture. Then, you have to divide your inputs in three classes: logs from server (Windows or Linux it's the same), syslogs, Databases. For the first item, at first you should define if you can install an agent (Universal Forwarder) on the target server or not. If yes you can configure your Universal Forwarders to send logs to the Heavy Forwarders and Splunk guarantees Load Balancing and Fail Over. If you cannot use Universal Forwarder you have to use : WMI to take logs from Windows servers, syslogs to take logs from Linux Servers. My hint is: try always to use Universal Forwarder for many reasons: Easy to manage, more secure (WMI requires Domain credentials), more efficient (UF encrypts and compress packets before sending to HF); no lost data (there's a local cache when connection with Indexers is blocked). For syslogs, you have to use (in addition to the two Heavy Forwarders) a Load Balancer to distribute load between HFs and manage Fail Over, if you haven't you can use a DNS Policy. For DB, if you have to take logs from files you can use the solution for servers with UF; if you have to tale logs from tables, you have to install on both the HFs the DB-Connect App and configure it. Ciao. Giuseppe How do I set up and configure the loadbalancing of the Universal Forwarder between the two Heavy Forwarder? - Is a 3rd party loadbalancer advised? Or can the Universal Forwarder manage themselves? - Is it advised that the Heavy Forwarder are in an active passive mode? What possibilities are there? ... View more

Hi there, what method did you end up using? Any experience that you can share? O. ... View more

Does anyone know all the azure instances IP or URL that I need to establish a connectivity with?  ... View more

Okay, but what does that look like? Does it have a common scheme?  *.management.azure.com or *.graph.azure.com? And where do i find it? ... View more

In case i use both add-on's do I need to create two seperate application integrations? ... View more

Thank you for the quick feedback, the guide is helpful but i was more looking into a comparison about what add-on to use. Is the "Splunk Add-on for Microsoft Cloud Services" able to get the O365 data? Is it advised to use it? ... View more

Thanks everyone, i have decided to create something like "technology_vendor" Jay ... View more