All Apps and Add-ons

After installing the DB_Connect Add-on, why can't I find \local folder when trying to configure trace and audit log collection?

davisjr
New Member

I cannot find a \local folder under %SPLUNK_HOME%\etc\apps\splunk_app_db_connect\ after installing the DB_Connect add on. I have restarted the SQL services and Splunk service. We are running Windows Server 2012 R2. There is a \locale folder but no inputs.conf contained in the folder.

Following this documentation to configure SQL audit log collection into Splunk.
http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/ConfigureDBConnectv1inputs

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Hi, Out of the box there may only be a \default directory - I'll see what I can find. It looks like if you use a database connection name other than sqlserver_default_connection, then you will want to replace all instances of the string sqlserver_default_connection in %SPLUNK_HOME%\etc\apps\dbx\local\inputs.conf with the name you select instead. You may want to create a new \local directory to add your new inputs.conf in so it overrides anything in \default.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Also, make sure you are not confusing the locale and the local folder`. The former might have language specific stuff while the latter has your added configuration.

Also, if you created something that you would expect to be in the local folder, it might actually be there - but in another app! As in, if you were working in another app context when you created the new configuration through the UI then peek there. You should be able to validate this by seeing what app context the configuration lives in through the UI (look at the data inputs listing and you may see a column for this info).

If all else fails, btool http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati... will save you. By looking at all configuration you can use the debug flag to pinpoint what you're looking for.

davisjr
New Member

Thank you both. Will check out these answers and will be back if I have any more questions. Appreciate the help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...