Splunk® Supported Add-ons

Splunk Add-on for Oracle Database

Release notes for the Splunk Add-on for Oracle Database

Version 4.1.0 of the Splunk Add-on for Oracle Database was released on April 21, 2022.

About this release

Version 4.1.0 of the Splunk Add-on for Oracle Database is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2
Splunk DB Connect 3.8.0
CIM 5.0.1
Platforms Platform independent
Vendor Products Oracle Database Server 11g/12.1/12.2/19c/21c

Splunk DB Connect version 2.x reached its End of Life on July 7, 2019

New features

  • Support for Oracle Database Version 21c.
  • Support for CIM version 5.0.1.
    • Mapped these action numbers for the oracle:audit:xml source type to use the Change.Account_Management data model: 101, 108, 43, 51, 53, 65, 66, 67
    • Mapped these action numbers for the oracle:audit:text source type to use the Change.Account_Management data model: 17, 51, 53, 67
    • Mapped events for the oracle:connections:poolStats source type to the Databases.Database_Instance.Instance_Stats data model.
  • Enhanced mappings and tags.

Starting from the release for Oracle 21c, Oracle will no longer support traditional auditing, as referenced here. Splunk best practice is to use Oracle Unified Auditing instead of previous Oracle Auditing functionality. Also note, Splunk may no longer support the source types for these previous auditing configs (such as oracle:audit:text and oracle:audit:xml) in upcoming releases of the the Splunk Add-on for Oracle Database.

CIM Data Model Changes

Source type ACTION Previous CIM model New CIM model
oracle:audit:xml 100 Databases Authentication
oracle:audit:xml 101, 108, 43, 51, 53, 65, 66, 67 Databases Change.Account_Management
Source type ACTION_NUMBER Previous CIM model New CIM model
oracle:audit:text 100 Authentication
oracle:audit:text 17, 51, 53, 67 Change.Account_Management
Source type Previous CIM model New CIM model
oracle:connections:poolStats Databases.Database_Instance Databases.Database_Instance.Instance_Stats

Field Changes

Source type ACTION_NAME Fields added Fields removed
['oracle:audit:unified'] ALTER DATABASE, CREATE LIBRARY, ALTER PLUGGABLE DATABASE, ALTER USER, ALTER TABLE, CREATE DIRECTORY, ALTER SYSTEM, EXECUTE, CREATE PLUGGABLE DATABASE, DROP DIRECTORY user_name, result, signature, ACTION_CODE
['oracle:audit:unified'] GRANT, ALTER PROFILE action, object_category, ACTION_CODE, signature, user_name, result, src_user
['oracle:audit:unified'] CREATE SYNONYM, CREATE DATABASE LINK, DROP DATABASE LINK ACTION_CODE, signature, user_name, result, src_nt_domain
['oracle:audit:unified'] CREATE PROFILE, DROP PROFILE action, object_category, ACTION_CODE, signature, user_name, result, src_user, src_nt_domain
['oracle:audit:unified'] DROP USER, CREATE USER action, ACTION_CODE, signature, user_name, result
['oracle:audit:unified'] LOGOFF ACTION_CODE, signature, user_name, result, src_user, src_nt_domain
['oracle:audit:unified'] LOGON ACTION_CODE, signature, user_name, status, src_user_type, user_type, result, src_nt_domain
Source type ACTION Fields added Fields removed
['oracle:audit:xml'] 43, 53, 51 CURRENT_USER, object_category, signature, user_name, result_id, signature_id
['oracle:audit:xml'] 65 CURRENT_USER, action, object_category, signature, user_name, status, result_id, change_type, result, RETURNCODE, signature_id
['oracle:audit:xml'] 66, 67 CURRENT_USER, action, object_category, signature, user_name, status, result_id, change_type, signature_id
['oracle:audit:xml'] 79 result_id, user_name, signature, signature_id eventtype, tag::eventtype, tag
['oracle:audit:xml'] 100, 108 CURRENT_USER, signature, user_name, result_id, signature_id
['oracle:audit:xml'] 101 object_category, signature, user_name, status, result_id, change_type, signature_id
Source type ACTION_NUMBER Fields added Fields removed
['oracle:audit:text'] 17 action, object_category, object_attrs, signature, tag::eventtype, eventtype, result, src_user, RETURNCODE, signature_id tag::PRIVILEGE
['oracle:audit:text'] 187, 57, 40, 91, 138, 44 RETURNCODE, result, signature, signature_id user_name, tag::PRIVILEGE, tag
['oracle:audit:text'] 42, 49 RETURNCODE, result, signature, signature_id object_category, user_name, tag::PRIVILEGE, tag
['oracle:audit:text'] 43 RETURNCODE, result, signature, signature_id tag::PRIVILEGE
['oracle:audit:text'] 47 RETURNCODE, result, signature, signature_id user_name
['oracle:audit:text'] 53, 51 action, object_category, user, signature, tag::eventtype, user_name, eventtype, result, RETURNCODE, signature_id tag::PRIVILEGE
['oracle:audit:text'] 67 action, object_category, tag::eventtype, signature, eventtype, result, src_user, RETURNCODE, signature_id user_name, tag::PRIVILEGE
['oracle:audit:text'] 100 action, tag::eventtype, signature, tag, eventtype, result, reason, RETURNCODE, signature_id
Source type Fields added Fields removed
['oracle:table'] vendor_product
Source type Fields added Fields removed
['oracle:connections'] vendor_product
Source type Fields added Fields removed
['oracle:sga'] vendor_product
Source type Fields added Fields removed
['oracle:sysPerf'] vendor_product
Source type Fields added Fields removed
['oracle:database'] vendor_product
Source type Fields added Fields removed
['oracle:session'] vendor_product
Source type Fields added Fields removed
['oracle:sqlMonitor'] records_affected, tables_hit, indexes_hit
Source type Fields added Fields removed
['oracle:tablespaceMetrics'] vendor_product
Source type Fields added Fields removed
['oracle:query'] vendor_product
Source type Fields added Fields removed
['oracle:database:size'] vendor_product
Source type Fields added Fields removed
['oracle:pool:connections'] vendor_product
Source type Fields added Fields removed
['oracle:user'] vendor_product


Fixed issues

Version 4.1.0 of the Splunk Add-on for Oracle Database contains the following fixed issues.

Date Filed Issue Number Description
2022-02-23 ADDON-14795 [PUBLIC] [Oracle]Part of CLOB fields extracted in oracle:audit:unified via DBX V3 are missing from the UI



Known issues

Version 4.1.0 of the Splunk Add-on for Oracle Database contains the following known issues. If no issues appear below, no issues have yet been reported.


Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Oracle Database does not incorporate any third-party software or libraries.

Last modified on 26 April, 2022
Source types for the Splunk Add-on for Oracle Database   Release history of the Splunk Add-on for Oracle Database

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters