Splunk App or Microsoft SQL Server has an Overview page. I have that successfully showing the monitored SQL instance.
But if I go to the Security/Database Operations report, it fails to return results.
An indexed audit event can be found with this search: index="wineventlog" AND "logname=application"
Inspecting one of these events reveals it is missing the mssql-audit eventtype.
Splunk App or Microsoft SQL Server has a macros.conf. Line 3 reads "definition = eventtype=mssql-audit server_instance_name="$instance$"...
I regularly run unsigned Powershell scripts from this server. There are no recent errors in the Powershell errors report.
Is something malfunctioning around automatically assigning the mssql-audit eventtype to events as they are searched or indexed?
Thanks! - Chris
This may be related to a mixup between a SPLUNK supported Add On for SQL, and an unsupported App for SQL that has since been discontinued.