I have tried the following queries in SQL Editor:
SELECT * FROM sys.fn_get_audit_file ('\\"mydatabase"\Z$\NONDBDATA\SQLAudits\Audit-Test_*.sqlaudit',default,default);
SELECT * FROM sys.fn_get_audit_file ('\\"mydatabase"\Z:\NONDBDATA\SQLAudits\Audit-Test_*.sqlaudit',default,default);
SELECT * FROM sys.fn_get_audit_file ('\\"mydatabase"\C:\SQLAudits',default,default);
I receive the following error:
com.microsoft.sqlserver.jdbc.SQLServerException: The specified pattern did not return any files or does not represent a valid file share. Verify the pattern parameter and rerun the command.
No results found.
Thanks!
I am seeing this same issue (DBConnect 3.1.3)
So i added the third backslash, but then realized that this broke the cron schedule.
In order to execute the query, and then set the rising column when creating the input via the web UI you need to have the 3 backslashes otherwise the query will not run, you can not set the rising column and therefore progress to saving the input.
But this extra backslash then doesn’t allow for the cron schedule to run correctly as the ‘path’ is not valid
If you manually remove the extra backslash from the db_inputs.conf and restart splunk then the scheduled cron job runs fine, BUT you will not be able to go back and modify the input via the web UI.
Bug in DBConnect?
Splunk Support here, logged this as a bug for the DBX GUI to Engineering for now: reference DBX-4616
thank you!
Hi ltrotter83,
had this problem and the exact same error message before, and it got resolved by using this SQL statement:
SELECT * FROM sys.fn_get_audit_file ('\\\<servername>\<sharename>\*.sqlaudit',null,null);
The important thing was to use three backslashes instead of only two. It looks like DB connect interpreted the first \
as escape character ?! ¯\_(ツ)_/¯
I only found out, while running a SQL trace on the SQL server side while running this query.
Hope this helps ...
cheers, MuS