Splunk® Supported Add-ons

Splunk Add-on for Oracle Database

Download manual as PDF

Download topic as PDF

Configure monitor inputs for the Splunk Add-on for Oracle Database

These instructions assume that your forwarders (or single instance Splunk Enterprise) are installed directly on your Oracle Database Servers.

Set up monitor stanzas in a local inputs.conf file to configure inputs for the following Oracle Database Server log files:

  • Audit log
  • Alert log
  • Listener log
  • Incident log
  • Trace log

Note that these instructions do not apply for inventory or performance logs. See Configure Splunk DB Connect inputs for information about configuring inputs for inventory and performance logs.

If you do not want to collect inventory and performance events, do not include any of the DB Connect-dependent input stanzas in your local/inputs.conf, or you will see errors on startup.

Configure your inputs

1. Decide which Oracle log files in which kind of format (XML or plain text) you want the Splunk Add-on for Oracle Database to monitor. See the Source types for the Splunk Add-on for Oracle Database topic for a detailed listing of the log files and their corresponding Splunk source types.

2. Determine the location of each log file you want to monitor, if it differs from the default location. The table in the Source types for the Splunk Add-on for Oracle Database topic provides both the default locations and location queries in case the location has changed.

3. Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_oracle/local.

4. Add monitor stanzas for each log file that you want to monitor. Each stanza that you include should include the full path to the log file, the source type for that log file as defined in the "Data types" table, and the crcSalt attribute set to <SOURCE>. The crcSalt attribute, when set to <SOURCE>, ensures that each file has a unique CRC. The effect of this setting is that Splunk Enterprise assumes that each path name contains unique content.

Examples

Example for Oracle 10g Release 2 on Linux

[monitor:///u01/oracle/admin/*/adump/*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>

[monitor:///u01/oracle/admin/*/adump/*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>

[monitor:///u01/oracle/admin/*/bdump/alert*.log*]
sourcetype = oracle:alert:text
crcSalt = <SOURCE> 

[monitor:///u01/oracle/product/db_1/network/log/listener.log*]
sourcetype = oracle:listener:text
crcSalt = <SOURCE> 

[monitor:///u01/oracle/admin/orcl/udump/*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>

Example for Oracle 11g Release 2 on Linux

[monitor:///u01/app/oracle/admin/*/adump/*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/admin/*/adump/*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/alert/log*.xml]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/tnslsnr/*/listener/alert/log*.xml]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/trace/*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/incident/incdir*/*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE>

Example for Oracle 12c Release 1 on Linux

[monitor:///u01/app/oracle/admin/*/adump/*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/admin/*/adump/*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/alert/log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/tnslsnr/*/listener/alert/log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/trace/*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/diag/rdbms/*/*/incident/incdir*/*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE>

Example for Oracle 11g Release 2 on Windows

[monitor://C:\app\Administrator\admin\*\adump\*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>

[monitor://C:\app\Administrator\admin\*\adump\*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>

[monitor://C:\app\Administrator\diag\rdbms\*\*\alert\log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>

[monitor://C:\app\Administrator\diag\tnslsnr\*\listener\alert\log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>

[monitor://C:\app\Administrator\diag\rdbms\*\*\trace\*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>

[monitor://C:\app\Administrator\diag\rdbms\*\*\incident\incdir*\*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE>

Example for Oracle 12c Release 1 on Windows

[monitor://C:\app\oracle\admin\*\adump\*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>

[monitor://C:\app\oracle\admin\*\adump\*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>

[monitor://C:\app\oracle\diag\rdbms\*\*\alert\log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>

[monitor://C:\app\oracle\diag\tnslsnr\*\listener\alert\log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>

[monitor://C:\app\oracle\diag\rdbms\*\*\trace\*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>

[monitor://C:\app\oracle\diag\rdbms\*\*\incident\incdir*\*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE>
Last modified on 28 November, 2018
PREVIOUS
Upgrade the Splunk Add-on for Oracle Database
  NEXT
Configure Splunk DB Connect v2.x inputs for the Splunk Add-on for Oracle Database

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters