How to ingest Microsoft .xel logs

ericlarsen · ‎01-06-2020

I have a need to ingest certain SQL Server logs, in a proprietary .xel format, into Splunk.

Do I need to somehow first get these logs into a common file type/format before ingesting them? If so, how would I do that?

Thanks.

badrinath_itrs · ‎01-06-2020

SPLUNK does not support ingestion of .xel format logs directly, but you can use the sys.fn_xe_file_target_read_file function on the SQL server side to convert the logs and may use DB Connect to ingest the data into SPLUNK .

ericlarsen · ‎01-07-2020

Thanks for the response. Since I have a large number of servers, I'm trying to avoid using DB Connect. I was hoping for direct ingestion.

zippo706 · ‎07-08-2020

Hello,

I am curious if you have found another way to accomplish this. For us, going through audit functions to a blob storage on a heavily used azure sql database is beyond painful and completely impractical.

arjunpkishore5 · ‎01-11-2020

You can do direct ingestion if they are text files, not proprietary .xel files. So if you can convert them beforehand, then yes

How to ingest Microsoft .xel logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases