All Apps and Add-ons

Why isn't my Splunk setup capturing mssql performance and audit data?

mandar_alawani
New Member

Hi,

My setup (all on one server - test environment:
Splunk Enterprise 7
Splunk Add-on for Microsoft SQL Server Splunk_TA_microsoft-sqlserver 1.3.0

Splunk DB Connect splunk_app_db_connect 3.1.1

I have been able to create Data input for one test table.

I have edited inputs.conf and sqlserver_dbx2.conf as below (it is some of the stanzas):

[mssql:audit]
description = Collect audit event data from audit log file
interval = 60
mode = rising
index_time_mode = current
query = SELECT * \
FROM sys.fn_get_audit_file ('C:\\SQLAudit\\*',default,default) \
WHERE event_time > ? \
ORDER BY event_time ASC
sourcetype = mssql:audit
rising_column_index = 1

[mssql:processes]
description = Collect information of processes that are running on an instance of SQL Server
interval = 300
mode = batch
index_time_mode = current
query = SELECT a.*, b.name,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM

sys.sysprocesses a JOIN sys.databases b ON a.dbid = b.database_id
sourcetype = mssql:processes

[mssql:databases]
description = Collect information about databases in a SQL Server instance
interval = 300
mode = batch
index_time_mode = current
query = SELECT *,CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS ServerName, db_name() AS DatabaseName FROM
sys.databases
sourcetype = mssql:databases

But I am NOT able to get SPLUNK to capture this data. I can only see data from:
When I use index=_internal, FROM:
log files in C:\program Files\Splunk folder
e.g. - splunkd.log

When I use index=main, FROM:
source = Perfmon:Perfmon_Local

sourcetype = Perfmon:Perfmon_Local

Can someone help to capture this data ?

Thanks,
Mandar

0 Karma
1 Solution

jplumsdaine22
Influencer

Did you follow the instructions for dbconnect v3? http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv3inputs

sqlserver_dbx2.conf is for dbconnect version 2

View solution in original post

jplumsdaine22
Influencer

Did you follow the instructions for dbconnect v3? http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv3inputs

sqlserver_dbx2.conf is for dbconnect version 2

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...