I cannot find a \local folder under %SPLUNK_HOME%\etc\apps\splunk_app_db_connect\ after installing the DB_Connect add on. I have restarted the SQL services and Splunk service. We are running Windows Server 2012 R2. There is a \locale folder but no inputs.conf contained in the folder.
Following this documentation to configure SQL audit log collection into Splunk.
http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv1inputs
Hi, Out of the box there may only be a \default directory - I'll see what I can find. It looks like if you use a database connection name other than sqlserver_default_connection, then you will want to replace all instances of the string sqlserver_default_connection in %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf with the name you select instead. You may want to create a new \local directory to add your new inputs.conf in so it overrides anything in \default.
Also, make sure you are not confusing the locale
and the local
folder`. The former might have language specific stuff while the latter has your added configuration.
Also, if you created something that you would expect to be in the local
folder, it might actually be there - but in another app! As in, if you were working in another app context when you created the new configuration through the UI then peek there. You should be able to validate this by seeing what app context the configuration lives in through the UI (look at the data inputs listing and you may see a column for this info).
If all else fails, btool
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati... will save you. By looking at all configuration you can use the debug flag to pinpoint what you're looking for.
Thank you both. Will check out these answers and will be back if I have any more questions. Appreciate the help.