Splunk® Supported Add-ons

Splunk Add-on for Oracle Database

Configure monitor inputs for the Splunk Add-on for Oracle Database

These instructions assume that your forwarders (or single instance Splunk Enterprise) are installed directly on your Oracle Database Servers.

Set up monitor stanzas in a local inputs.conf file to configure inputs for the following Oracle Database Server log files:

  • Audit log
  • Alert log
  • Listener log
  • Incident log
  • Trace log

Note that these instructions do not apply for logs based on database entries. See Configure Splunk DB Connect v3.8.0 inputs for the Splunk Add-on for Oracle Database for information about configuring inputs for logs based on database entries.

If you do not want to collect database events, do not include any of the DB Connect-dependent input stanzas in your local/inputs.conf, or you will see errors on startup.

Configure your inputs

1. Decide which Oracle log files in which kind of format (XML or plain text) you want the Splunk Add-on for Oracle Database to monitor. See the Source types for the Splunk Add-on for Oracle Database topic for a detailed listing of the log files and their corresponding Splunk source types.

2. Determine the location of each log file you want to monitor, if it differs from the default location. The table in the Source types for the Splunk Add-on for Oracle Database topic provides both the default locations and location queries in case the location has changed.

3. Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_oracle/local.

4. Add monitor stanzas for each log file that you want to monitor. Each stanza that you include should include the full path to the log file, the source type for that log file as defined in the "Data types" table, and the crcSalt attribute set to 

<SOURCE>

. The crcSalt attribute, when set to 

<SOURCE>

, ensures that each file has a unique CRC. The effect of this setting is that Splunk Enterprise assumes that each path name contains unique content.

Examples

Example for Oracle 21c on Linux

[monitor:///u01/app/oracle/admin/*/adump/*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/admin/*/adump/*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/diag/rdbms/*/*/alert/log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/diag/rdbms/*/*/trace/alert_*.log*]
sourcetype = oracle:alert:text
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/diag/tnslsnr/*/listener/alert/log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/diag/tnslsnr/*/listener/trace/listener.log*]
sourcetype = oracle:listener:text
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/homes/*/rdbms/log/*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor:///u01/app/oracle/diag/rdbms/*/*/incident/incdir*/*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

Example for Oracle 21c on Windows

[monitor://C:\app\oracle\admin\*\adump\*.xml]
sourcetype = oracle:audit:xml
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\admin\*\adump\*.aud]
sourcetype = oracle:audit:text
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\diag\rdbms\*\*\alert\log.xml*]
sourcetype = oracle:alert:xml
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\diag\rdbms\*\*\trace\alert_*log*]
sourcetype = oracle:alert:text
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\diag\tnslsnr\*\listener\alert\log.xml*]
sourcetype = oracle:listener:xml
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\diag\tnslsnr\*\listener\trace\listener.log*]
sourcetype = oracle:listener:text
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\homes\*\rdbms\trace\*.trc]
sourcetype = oracle:trace
crcSalt = <SOURCE>
multiline_event_extra_waittime = true

[monitor://C:\app\oracle\diag\rdbms\*\*\incident\incdir*\*.trc]
sourcetype = oracle:incident
crcSalt = <SOURCE>
multiline_event_extra_waittime = true
Last modified on 22 April, 2022
Upgrade the Splunk Add-on for Oracle Database   Configure Splunk DB Connect v3.8.0 inputs for the Splunk Add-on for Oracle Database

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters