Thank you, I have been through this article and either I'm missing something or the article is missing something.
Following the steps to 'Create audit objects in Microsoft SQL Server for the Splunk Add-on for Microsoft SQL Server' I now have audit files being written to disk.
CREATE SERVER AUDIT MSSQL_Database_Audit TO FILE ( FILEPATH = 'C:\\SQLAudit' ) ;
However, I do not see steps in the article for how to get the file data into Splunk.
1. create an identity in splunk with an account that has access to SQL Server
- account will require server Control (USE master; GRANT CONTROL SERVER TO SplunkUSER;)
2. Create a new connection using identity created in step1
3. Create a data lab and specify your Connection created in step 2.
In the data lab you specify your query
SELECT * FROM sys.fn_get_audit_file ('\\\<servername>\<sharename>\*.sqlaudit',null,null);