Skip to main content

Database query data

  • Updated

Database query data is a type of database data that shows the SQL statements that are being sent to the database by clients. The clients could be command line SQL front end tools or JDBC or ODBC based applications that send SQL statements and receive results returned from the database. Splunk can be one of these SQL clients with the use of the DB Connect application.  SQL activity is synonymous with query activity and is what is meant by query data in this context. 

Data visibility 

Structured Query Language (SQL) statements are the main interface in relational databases. SQL statements are used to create, read, update, and delete data in the database. Visibility into this activity enables you to do all of the following and more:

  • Detect and identify long running queries as candidates for optimization
  • Detect and identify slow queries as candidates for optimization
  • Monitor trends in query behavior for capacity and planning
  • Detect unauthorized data access 
  • Attest to compliance with data governance controls and rules

How can I use this data?

When your Splunk deployment is ingesting database query data you can use the data to achieve objectives related to the following use cases:

High-value fields

This data type has many available fields, but users typically derive the most value out of the fields listed here.

query

Full text of the SQL statement 

user

Name of the database process user

instance _name

Name of the database instance

sessions

Number of sessions currently in use by the database instance

src

Source of the database event, typically the IP address or host name of the client issuing the request 

 

Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, database query data is typically mapped to the Databases data model.  

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.

Data Source

Sourcetype

Recommend Add-Ons

Oracle

sourcetype="oracle:<>"

There are many available sourcetypes, depending on what data you need.

Splunk Add-on for Oracle Database

Splunk

N/A

Splunk DB Connect

MySQL

sourcetype="mysql:generalQueryLog"

sourcetype="mysql:slowQueryLog"

sourcetype="mysql:generalQueryLogDb"

sourcetype="mysql:slowQueryLogDb"

Splunk Add-on for MySQL

Microsoft

sourcetype="mssql:<>"

There are many available sourcetypes, depending on what data you need.

Splunk Add-on for Microsoft SQL Server

Wiredata

sourcetype=”stream:tns” (Oracle), or “stream:postgres” or stream:mysql or stream:tds (Sybase / MS SQL Server) stream:

Splunk Stream  

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.