Solved: Ingesting Trace Logs into Splunk

vr2312 · ‎01-27-2017

I am looking to ingest SQL Trace Logs into Splunk.

Can anyone direct me on how this could be achieved.

Richfez · ‎01-29-2017

This should be no problem, but you have to create/use your trace in a particular way.

When you create the trace, choose the option to "save to table" which will save the trace into a database table. I don't remember if you can save a trace to a different DB hosted on the server you are tracing, but I think you can. This is really a "SQL Trace Configuration" issue, so read through Microsoft's docs if you have difficulties.

Now, once you have the trace data saved in a table it's easy to get that from there into Splunk. First, on a Heavy Forwarder or maybe a Search Head, install the Splunk DB Connect app. Once installed, create an identity (login) that will have access to the table you are saving your trace into, create a database connection to tell Splunk where/how to get to the DB server, then create a database input to finally retrieve the data into Splunk.

Happy Splunking!

View solution in original post

Richfez · ‎01-29-2017

This should be no problem, but you have to create/use your trace in a particular way.

When you create the trace, choose the option to "save to table" which will save the trace into a database table. I don't remember if you can save a trace to a different DB hosted on the server you are tracing, but I think you can. This is really a "SQL Trace Configuration" issue, so read through Microsoft's docs if you have difficulties.

Now, once you have the trace data saved in a table it's easy to get that from there into Splunk. First, on a Heavy Forwarder or maybe a Search Head, install the Splunk DB Connect app. Once installed, create an identity (login) that will have access to the table you are saving your trace into, create a database connection to tell Splunk where/how to get to the DB server, then create a database input to finally retrieve the data into Splunk.

Happy Splunking!

vr2312 · ‎02-01-2017

Thank you so much for such a detailed description. I am already in the process of testing that. Waiting for the DB team to provide and implement necessary access.

Will keep you updated for any issues.

Thanks again @rich7177

Richfez · ‎02-01-2017

You are very welcome.

For what it's worth, I remember SQL trace data being very chatty. Enough that you will want to keep an eye on your licensing as you roll this out. It would be helpful to keep the trace logs as small as you can by only making traces for the databases, users and activities you need.

Richfez · ‎02-06-2017

If this has resolved (or was instrumental in resolving) your question, could you please "Accept" this answer? It will help others who search for find this information later know that it is indeed a reasonably good answer.

And if you have further problems, you probably would do best to create a new Question specifically for it to keep this question and the new one both single-purpose.

Thanks,
Rich

vr2312 · ‎02-08-2017

Hello @rich7177 I will mark this response as an "answer" even-though the server team is yet to lead this to a success. Thank you so much for all the inputs you had provided.

Will reach out to you if i observe any discrepancies. Thank you again for the tip 🙂

Ingesting Trace Logs into Splunk

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!