Source types for the Splunk Add-on for Oracle Database
The Splunk Add-on for Oracle Database collects different logs and events from different sources in Oracle Database Server. The add-on assigns different source types for each different log or event source.
There are two major groups of source types for the Splunk Add-on for Oracle Database. Each group depends on how events are collected:
- Collected through file monitoring (based on log files)
- Collected through Splunk DB Connect (based on database entries)
Log file source types
Many Oracle log files offer the option of a plain text format or an XML format. You can choose to configure the logs in either of these formats because this add-on supports field extractions for both formats. In general, XML-formatted logs have more verbose information and are easier to parse, but may occupy more OS disk space.
You can customize the location and name of most log files in Oracle. The table below provides the default location for each log file and a query that you can run in case the location has changed.
More information about the different log and event data supported by this add-on is available below the table.
All listed source types based on log files are for Oracle Versions 11g/12.1/12.2/19c/21c
| Log/ Event |
Log Format | Source Type | Default File Location | CIM Data Model |
|---|---|---|---|---|
| Audit Log | Plain text | oracle:audit:text
|
$ORACLE_BASE/admin/$ORACLE_SID/adump/*.aud Query this location by issuing show parameter AUDIT_FILE_DEST;
|
Authentication, Databases, |
| XML | oracle:audit:xml
|
$ORACLE_BASE/admin/$ORACLE_SID/adump/*.xml Query this location by issuing show parameter AUDIT_FILE_DEST;
|
Databases,Authentication, | |
| Alert Log | Plain text | oracle:alert:text
|
$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ trace/alert_$ORACLE_SID.logQuery this location by issuing |
N/A |
| XML | oracle:alert:xml
|
$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ alert/log.xml
Query this location by issuing |
N/A | |
| Listener Log | Plain text | oracle:listener:text
|
$ORACLE_BASE/product/db_1/network/log/listener.logFor 21c:
|
N/A |
| XML | oracle:listener:xml
|
$ORACLE_BASE/diag/tnslsnr/$HOST_NAME/listener/ alert/log.xml Query this location by running |
N/A | |
| Incident log | Plain text | oracle:incident
|
$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ incident/*/*.trcQuery this location by issuing |
N/A |
| Trace log | Plain text | oracle:trace
|
For 10g:$ORACLE_HOME/admin/$ORACLE_SID/ udump/*.trcFor 11g/12c: |
N/A |
Database entry source types
Collect the following metrics using Splunk DB Connect.
The source types are based on specific database tables or views to get essential type of data (eg. V$SESSION or DBA_TABLESPACES to get session or tablespace information). Additional tables or views may be involved to collect more detail information (eg. beside V$SESSION, V$INSTANCE to build oracle:session events) or for other reasons (eg. DUAL for oracle:sga).
Date columns or current date (index time) can be used to define event timestamp.
Tables/views that contain data for current state are used to collect data in batches. Events from tables/views that contain historical or dynamic data are collected in rising mode. Date columns are used to define checkpoint for incremental load.
| Object | Oracle Version | Source Type | Tables/Views | Time | Mode | CIM Data Model |
|---|---|---|---|---|---|---|
| Database | 11g/12.1/12.2/19c/21c | oracle:database
|
V$DATABASE
|
current | batch | Databases |
| Instance | 11g/12.1/12.2/19c/21c | oracle:instance
|
V$INSTANCE
|
current | batch | Databases |
| Session | 11g/12.1/12.2/19c/21c | oracle:session
|
V$SESSION
|
current | batch | Databases |
| Tablespace | 11g/12.1/12.2/19c/21c | oracle:tablespace
|
DBA_TABLESPACES |
current | batch | N/A |
| Tablespace Metrics | 11g/12.1/12.2/19c/21c | oracle:tablespaceMetrics
|
V$TEMP_SPACE_HEADER
|
current | batch | Databases |
| System Global Area (SGA) | 11g/12.1/12.2/19c/21c | oracle:sga
|
V$SGA
|
current | batch | Databases |
| Cache | 11g/12.1/12.2/19c/21c | oracle:libraryCachePerf
|
V$LIBRARYCACHE |
current | batch | N/A |
| I/O performance | 11g/12.1/12.2/19c/21c | oracle:dbFileIoPerf
|
V$FILESTAT
|
current | batch | N/A |
| Host performance | 11g/12.1/12.2/19c/21c | oracle:osPerf
|
V$OSSTAT |
current | batch | N/A |
| System performance | 11g/12.1/12.2/19c/21c | oracle:sysPerf
|
V$SYSMETRIC_HISTORY
|
current | rising by V$SYSMETRIC_HISTORY.END_TIME | Databases |
| Connections performance | 11g/12.1/12.2/19c/21c | oracle:connections
|
V$SESSION
|
current | batch | Databases |
| Connections pool performance | 11g/12.1/12.2/19c/21c | oracle:pool:connections
|
DBA_CPOOL_INFO
|
current | batch | Databases |
| Table | 11g/12.1/12.2/19c/21c | oracle:table
|
ALL_TABLES
|
current | batch | Databases |
| Database size | 11g/12.1/12.2/19c/21c | oracle:database:size
|
V$DATAFILE
|
current | batch | Databases |
| User | 11g/12.1/12.2/19c/21c | oracle:user
|
ALL_USERS
|
current | batch | Databases |
| Queries performance | 11g/12.1/12.2/19c/21c | oracle:query
|
V$SQLAREA
|
current | batch | Databases |
| Unified Auditing Log | 11g/12.1/12.2/19c/21c | oracle:audit:unified
|
UNIFIED_AUDIT_TRAIL
|
UNIFIED_AUDIT_TRAIL.EVENT_TIMESTAMP_UTC | rising by UNIFIED_AUDIT_TRAIL.EVENT_TIMESTAMP_UTC | Authentication, Change |
| SQL Monitor | 19c/21c | oracle:sqlMonitor
|
V$SQL_MONITOR
|
V$SQL_MONITOR.SQL_EXEC_START | rising by V$SQL_MONITOR.SQL_EXEC_START | Databases |
| Connections pool statistics | 12.2/19c/21c | oracle:connections:poolStats
|
V$INSTANCE
|
current | batch | Databases |
| About the Splunk Add-on for Oracle Database | Release notes for the Splunk Add-on for Oracle Database |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!