Solved: No data in app.

Lazarix · ‎02-19-2014

Hi all,

I've installed everything correctly and I have quite a lot of data being logged in splunk now (nearly 20GB per day). I can see when I search for one of the SQL servers in splunk as "host=servername" that it shows source = WinEventLog://Security and sourcetype = WinEventLog:Security so it's definitely logging data and indexing it in splunk.

However, the Microsoft SQL Server App itself isn't showing any data.
When I run all 5 lookup generators, they all show no results, despite me seeing data indexed in splunk for the SQl server.

How can I get the app to find the data?

Lazarix · ‎03-05-2014

Closing this because nobody can seem to solve it, so I'm just going to stop using the app.

Poor.

View solution in original post

amiracle · ‎07-31-2014

I figured this one out, finally. Here's what I did:
Windows Server 2008 R2 and Windows 2012 R2 - Open Powershell as Administrator

PS C:\>Get-Execution Policy

If it's Restricted, then do the following:

PS C:\>Set-Execution Policy Bypass

Say Yes to the Execution Policy Change.

Then run Get-ExecutionPolicy and see that it changed to Bypass:

PS C:\> Get-ExecutionPolicy
Bypass

Once you have that done, now you'll need to make one more change.

Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITY\SYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. (Thanks Adrian: http://answers.splunk.com/answers/108974/problem-with-powershell-and-splunk_for_sqlserver-app)

Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)

Lastly, you can run the search:

index=mssql | stats count, values(sourcetype) by host

You should see the following source types show up:

MSSQL:Database:Health
MSSQL:Host:Memory
MSSQL:Instance:Service
MSSQL:Instance:User
Powershell:ScriptExecutionSummary

FunPolice · ‎06-09-2014

The SQL app instructions don't include instructions for the other apps that you need - see http://answers.splunk.com/answers/101202/sql-server-splunk-app-does-not-show-any-servers for someone who is having the same problem. I'm still working through this myself, but at the very least you will need to ensure that powershell scripts can run.

On your SQL server:

Start a Powershell window as an administrator
Run "Get-ExecutionPolicy". You can see what the answer means at http://technet.microsoft.com/library/hh847748.aspx.
Run "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned (if that's suitable for you - I'm still testing)
Run "Get-ExecutionPolicy" again to confirm the change.
Try running a script manually to see what happens (any script will do)

bosburn_splunk · ‎03-05-2014

Lazarix -

If you have enterprise support, can you please open up a ticket and let me know the number in a private message?

Brian

aelliott · ‎03-05-2014

What index did you store the data in? if you did not store it in the "main" index, you may have to go and change all the saved searches etc to use the specified index as it will default to main i believe in the searches.

Lazarix · ‎03-05-2014

Closing this because nobody can seem to solve it, so I'm just going to stop using the app.

Poor.

No data in app.

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...