I have installed Splunk DB Connect 2 to monitor MS SQL Audit Logs. I am able to get audit logs, but I see same data is getting reindexed every 5 min.
Could someone please help fix this problem?
Inputs.conf
[rpcstart://default]
javahome = C:\Program Files\Java\jdk1.8.0_74
useSSL = 1
proc_pid = 668
[mi_input://Audit_Logs]
connection = splunk_sql
index = main
interval = 300
max_rows = 10000
mode = batch
output.timestamp = true
output.timestamp.column = EVENT_TIME
output_timestamp_format = yyyy-MM-dd HH:mm:ss.SSSSSS
query = select * From SQL_audit_log
source = dbx2
sourcetype = mssql:audit
ui_query_catalog = master
ui_query_mode = advanced
ui_query_schema = sys
This is because of you use "mode = batch", DB Connect will dump the whole table every time mi_input runs.
You should use "mode = tail" aka "Follow Tail" and assign a unique rising column
This is because of you use "mode = batch", DB Connect will dump the whole table every time mi_input runs.
You should use "mode = tail" aka "Follow Tail" and assign a unique rising column