Hi,
I use DBConnect 2 to pull McAfee endpoint security data from ePO into Splunk and that part works great. However, when I tried to pull additional audit data from the same database, the data won't show up in the index. The test of the SQL query in the DBConnect connection was successful and there's no error in the splunkd.log. Here's the stanza in the inputs.conf:
[mi_input://ta_mcafee_epo_5_input:audit]
disabled = 0
host = <SQL Host Name>
connection = <Connection Name>
index = mcafee
interval = * * * * *
max_rows = 10000
output_timestamp_format = YYYY-MM-dd HH:mm:ss
# changed "SELECT TOP 10000" to just "SELECT" because it's not working with DBXv2
query = SELECT [AutoId],[UserId],[UserName],[Priority],[CmdName],[Message],[Success],[StartTime],[EndTime],[RemoteAddress],[TenantId] FROM [ePO_MTIB-EPO-APP].[dbo].[OrionAuditLogMT] WHERE [AutoID] >10000
sourcetype = mcafee:audit
source = dbx1
mode = tail
tail_follow_only = 1
tail_rising_column_name = AutoID
tail_rising_column_number = 2
ui_query_mode = advanced
input_timestamp_column_name = timestamp
input_timestamp_column_number = 1
tail_rising_column_checkpoint_value = 10000
What could be the problem?
Thanks!
Wei
↧