All Apps and Add-ons

After installing the DB_Connect Add-on, why can't I find \local folder when trying to configure trace and audit log collection?

davisjr
New Member

I cannot find a \local folder under %SPLUNK_HOME%\etc\apps\splunk_app_db_connect\ after installing the DB_Connect add on. I have restarted the SQL services and Splunk service. We are running Windows Server 2012 R2. There is a \locale folder but no inputs.conf contained in the folder.

Following this documentation to configure SQL audit log collection into Splunk.
http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv1inputs

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Hi, Out of the box there may only be a \default directory - I'll see what I can find. It looks like if you use a database connection name other than sqlserver_default_connection, then you will want to replace all instances of the string sqlserver_default_connection in %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf with the name you select instead. You may want to create a new \local directory to add your new inputs.conf in so it overrides anything in \default.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Also, make sure you are not confusing the locale and the local folder`. The former might have language specific stuff while the latter has your added configuration.

Also, if you created something that you would expect to be in the local folder, it might actually be there - but in another app! As in, if you were working in another app context when you created the new configuration through the UI then peek there. You should be able to validate this by seeing what app context the configuration lives in through the UI (look at the data inputs listing and you may see a column for this info).

If all else fails, btool http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati... will save you. By looking at all configuration you can use the debug flag to pinpoint what you're looking for.

davisjr
New Member

Thank you both. Will check out these answers and will be back if I have any more questions. Appreciate the help.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...