All Apps and Add-ons

Ingesting Trace Logs into Splunk

vr2312
Contributor

I am looking to ingest SQL Trace Logs into Splunk.

Can anyone direct me on how this could be achieved.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

This should be no problem, but you have to create/use your trace in a particular way.

When you create the trace, choose the option to "save to table" which will save the trace into a database table. I don't remember if you can save a trace to a different DB hosted on the server you are tracing, but I think you can. This is really a "SQL Trace Configuration" issue, so read through Microsoft's docs if you have difficulties.

Now, once you have the trace data saved in a table it's easy to get that from there into Splunk. First, on a Heavy Forwarder or maybe a Search Head, install the Splunk DB Connect app. Once installed, create an identity (login) that will have access to the table you are saving your trace into, create a database connection to tell Splunk where/how to get to the DB server, then create a database input to finally retrieve the data into Splunk.

Happy Splunking!

View solution in original post

Richfez
SplunkTrust
SplunkTrust

This should be no problem, but you have to create/use your trace in a particular way.

When you create the trace, choose the option to "save to table" which will save the trace into a database table. I don't remember if you can save a trace to a different DB hosted on the server you are tracing, but I think you can. This is really a "SQL Trace Configuration" issue, so read through Microsoft's docs if you have difficulties.

Now, once you have the trace data saved in a table it's easy to get that from there into Splunk. First, on a Heavy Forwarder or maybe a Search Head, install the Splunk DB Connect app. Once installed, create an identity (login) that will have access to the table you are saving your trace into, create a database connection to tell Splunk where/how to get to the DB server, then create a database input to finally retrieve the data into Splunk.

Happy Splunking!

vr2312
Contributor

Thank you so much for such a detailed description. I am already in the process of testing that. Waiting for the DB team to provide and implement necessary access.

Will keep you updated for any issues.

Thanks again @rich7177

0 Karma

Richfez
SplunkTrust
SplunkTrust

You are very welcome.

For what it's worth, I remember SQL trace data being very chatty. Enough that you will want to keep an eye on your licensing as you roll this out. It would be helpful to keep the trace logs as small as you can by only making traces for the databases, users and activities you need.

0 Karma

Richfez
SplunkTrust
SplunkTrust

If this has resolved (or was instrumental in resolving) your question, could you please "Accept" this answer? It will help others who search for find this information later know that it is indeed a reasonably good answer.

And if you have further problems, you probably would do best to create a new Question specifically for it to keep this question and the new one both single-purpose.

Thanks,
Rich

0 Karma

vr2312
Contributor

Hello @rich7177 I will mark this response as an "answer" even-though the server team is yet to lead this to a success. Thank you so much for all the inputs you had provided.

Will reach out to you if i observe any discrepancies. Thank you again for the tip 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...