I'm configuring the DB Connect app (v3.1.1) with the SQL Server TA (v1.3.0) on a Heavy Forwarder (Splunk v6.6.5) in order to pull DMV data from our SQL environment. I'm using the default query templates.
All of the queries return data to the HF. However, 5 of them send their data to the Indexers with no host value (only source and sourcetype). Sample Splunk event:
8/1/18
2:36:48.340 PM
2018-08-01 14:36:48.340, object_name="MSSQL$ABCQ1:Memory Broker Clerks ", counter_name="Pressure evictions (pages/sec) ", instance_name="Column store object pool ", cntr_value="0", cntr_type="272696576", max_connection="32767", DatabaseName="master", ServerName="SRVSQLVQ4\ABCQ1"
source = sys.dm_os_performance_counters sourcetype = mssql:os:dm_os_performance_counters tag = database tag = performance
Has anyone seen this before?
Thanks.
Did you ever get a solution to this? I just recently set up this TA and while I hadn't pinpointed it to the specific queries you seemed to have identified, I do that that I am only getting a host field from ~90% of my events which is terrible.
I'm not familiar with SQL Server, but you could join to a query similar to this in your db connect inputs to get the hostname (I know, horrible work-around, but we do something similar to get the database instance name):
Have you checked for errors in the logs? for instance, this one ? https://answers.splunk.com/answers/421957/splunk-add-on-for-microsoft-sql-server-the-lookup.html
I did not update $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-sqlserver/default/transforms.conf because this TA lives on a Heavy Forwarder and that path is correct.
I do not see any errors in the logs, either on the HF or Indexers.
Note: I tried to manually set the host value via the app configuration, but events still do not have a host in Splunk.