It appears that the Splunk Add-on for Microsoft SQL Server is using using current _indextime instead of the value of event_time available in all audit events for SQL. Seems to me that audit related events should take advantage of the greatest degree of precision (on time) as possible!
I am struggling override this default behavior using Splunk DB Connect 2. Has anyone else been able to get this to work, and if so, can you share the relevant portions of your inputs stanza?
Thank you!
↧