All Apps and Add-ons

Splunk DB Connect 2: Why are MSSQL DB Audit Logs getting reindexed every 5 minutes?

satishsdange
Builder

I have installed Splunk DB Connect 2 to monitor MS SQL Audit Logs. I am able to get audit logs, but I see same data is getting reindexed every 5 min.
Could someone please help fix this problem?

Inputs.conf

[rpcstart://default]
javahome = C:\Program Files\Java\jdk1.8.0_74
useSSL = 1
proc_pid = 668

[mi_input://Audit_Logs]
connection = splunk_sql
index = main
interval = 300
max_rows = 10000
mode = batch
output.timestamp = true
output.timestamp.column = EVENT_TIME
output_timestamp_format = yyyy-MM-dd HH:mm:ss.SSSSSS
query = select * From SQL_audit_log
source = dbx2
sourcetype = mssql:audit
ui_query_catalog = master
ui_query_mode = advanced
ui_query_schema = sys

alt text

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

This is because of you use "mode = batch", DB Connect will dump the whole table every time mi_input runs.
You should use "mode = tail" aka "Follow Tail" and assign a unique rising column

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Createandmanagedatabaseinputs#Set_parameter...

View solution in original post

0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

This is because of you use "mode = batch", DB Connect will dump the whole table every time mi_input runs.
You should use "mode = tail" aka "Follow Tail" and assign a unique rising column

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Createandmanagedatabaseinputs#Set_parameter...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...