Skip to content

Source types for the Splunk Add-on for Microsoft SQL Server

The Splunk Add-on for Microsoft SQL Server collects different kinds of data from Microsoft SQL Server and assigns a source type for each kind of data. It collects data through file monitoring, Windows Performance Monitoring, and through Splunk DB Connect:

Source types collected through file monitoring

Log Log format Description Source type File location CIM data models
Error log Plain text The error log contains error messages as well as some activities of SQL Server. mssql:errorlog After you install and start Microsoft SQL Server, the server creates this log file under the SQL Server installation folder. Example Location: C:\Program Files\Microsoft SQL Server\ MSSQL11.MSSQLSERVER\MSSQL\Log\ERRORLOG* Authentication
Agent log Plain text The agent log records SQL Server agent service related activities. mssql:agentlog After you install and start the Microsoft SQL Server agent, the server creates this log file under the SQL Server installation folder. Example Location: C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\SQLAGENT.OUT None

Source types collected through Windows Performance Monitoring

Object Counter Source type CIM data models
Processor % Processor Time perfmon:sqlserverhost:processor None
Network Interface Current Bandwidth; Bytes Total/sec perfmon:sqlserverhost:network None
Memory % Committed Bytes In Use; Pages/sec; Available Mbytes; Pages perfmon:sqlserverhost:memory None
SQLServer:Buffer Manager * perfmon:sqlserver:buffer_manager None
SQLServer:Databases Active Transactions; Data File(s) Size (KB); Log File(s) Size (KB);Log File(s) Used Size (KB); Transactions/sec perfmon:sqlserver:databases None
SQLServer:Memory Manager Total Server Memory (KB);Granted Workspace Memory (KB);Maximum Workspace Memory (KB);Memory Grants Outstanding;Memory Grants Pending;Target Server Memory (KB) perfmon:sqlserver:memory_manager None
LogicalDisk Avg. Disk sec/Read; Avg. Disk sec/Write perfmon:sqlserverhost:logicaldisk None
PhysicalDisk Disk Reads/sec; Disk Writes/sec; Avg. Disk sec/Read; Avg. Disk sec/Write; Avg. Disk sec/Transfer; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Queue Length perfmon:sqlserverhost:physicaldisk None
Paging File % Usage; % Usage Peak perfmon:sqlserverhost:paging_file None
Process Private Bytes; % Processor Time perfmon:sqlserverhost:process None
System Processor Queue Length; Context Switches/sec perfmon:sqlserverhost:system None
SQLServer:General Statistics User Connections; Processes blocked; Logins/sec; Logout/sec perfmon:sqlserver:general_statistics None
SQLServer:SQL Statistics Batch Requests/sec; SQL Compilations/sec; SQL re-Compilations/sec; SQL Attention Rate/sec; Auto-Param Attempts/sec; Failed Auto-Params/sec; Safe Auto-Params/sec; Unsafe Auto-Params/sec perfmon:sqlserver:sql_statistics None
SQLServer:Access Methods Forwarded Records/sec; Full Scans/sec; Index Searches/sec;Page Splits/sec; Workfiles Created/sec; Worktables Created/sec; Worktables From Cache Ratio; Table Lock Escalations/sec perfmon:sqlserver:access_methods None
SQLServer:Latches Latch Waits/sec; Avg Latch Wait Time (ms); Total Latch Wait Time (ms) perfmon:sqlserver:latches None
SQLServer:SQL Errors Errors/sec perfmon:sqlserver:sql_errors None
SQLServer:Locks Number of Deadlocks/sec; Average Wait Time (ms) perfmon:sqlserver:locks None
SQLServer:Transactions Transactions; Longest Transaction Running Time perfmon:sqlserver:transactions None

Source types collected through Splunk DB Connect

Data from Dynamic Management View

Type Dynamic Management View Source type CIM or ITSI data models
alwayson sys.dm_hadr_auto_page_repair mssql:alwayson:dm_hadr_auto_page_repair None
alwayson sys.dm_hadr_availability_group_states mssql:alwayson:dm_hadr_availability_group_states None
alwayson sys.dm_hadr_availability_replica_cluster_nodes mssql:alwayson:dm_hadr_availability_replica_cluster_nodes None
alwayson sys.dm_hadr_availability_replica_cluster_states mssql:alwayson:dm_hadr_availability_replica_cluster_states None
alwayson sys.dm_hadr_availability_replica_states mssql:alwayson:dm_hadr_availability_replica_states None
alwayson sys.dm_hadr_cluster mssql:alwayson:dm_hadr_cluster None
alwayson sys.dm_hadr_cluster_members mssql:alwayson:dm_hadr_cluster_members None
alwayson sys.dm_hadr_cluster_networks mssql:alwayson:dm_hadr_cluster_networks None
alwayson sys.dm_hadr_database_replica_cluster_states mssql:alwayson:dm_hadr_database_replica_cluster_states None
alwayson sys.dm_hadr_database_replica_states mssql:alwayson:dm_hadr_database_replica_states None
alwayson sys.dm_hadr_instance_node_map mssql:alwayson:dm_hadr_instance_node_map None
alwayson sys.dm_hadr_name_id_map mssql:alwayson:dm_hadr_name_id_map None
alwayson sys.dm_tcp_listener_states mssql:alwayson:dm_tcp_listener_states None
database sys.dm_db_file_space_usage mssql:database:dm_db_file_space_usage None
database sys.dm_db_partition_stats mssql:database:dm_db_partition_stats None
database sys.dm_db_session_space_usage mssql:database:dm_db_session_space_usage None
database sys.dm_db_uncontained_entities mssql:database:dm_db_uncontained_entities None
database sys.dm_db_fts_index_physical_stats mssql:database:dm_db_fts_index_physical_stats None
database sys.dm_db_persisted_sku_features mssql:database:dm_db_persisted_sku_features None
database sys.dm_db_task_space_usage mssql:database:dm_db_task_space_usage None
execution sys.dm_exec_query_stats mssql:execution:dm_exec_query_stats Databases, Database (ITSI)
execution sys.dm_exec_sessions mssql:execution:dm_exec_sessions Databases, Database (ITSI)
execution sys.dm_exec_background_job_queue mssql:execution:dm_exec_background_job_queue None
execution sys.dm_exec_background_job_queue_stats mssql:execution:dm_exec_background_job_queue_stats None
execution sys.dm_exec_cached_plans mssql:execution:dm_exec_cached_plans None
execution sys.dm_exec_connections mssql:execution:dm_exec_connections None
execution sys.dm_exec_procedure_stats mssql:execution:dm_exec_procedure_stats None
execution sys.dm_exec_query_memory_grants mssql:execution:dm_exec_query_memory_grants None
execution sys.dm_exec_query_optimizer_info mssql:execution:dm_exec_query_optimizer_info None
execution sys.dm_exec_query_resource_semaphores mssql:execution:dm_exec_query_resource_semaphores None
execution sys.dm_exec_requests mssql:execution:dm_exec_requests None
execution sys.dm_exec_trigger_stats mssql:execution:dm_exec_trigger_stats None
index sys.dm_db_index_physical_stats mssql:index:dm_db_index_physical_stats None
index sys.dm_db_index_operational_stats mssql:index:dm_db_index_operational_stats None
index sys.dm_db_index_usage_stats mssql:index:dm_db_index_usage_stats None
index sys.dm_db_missing_index_details mssql:index:dm_db_missing_index_details None
index sys.dm_db_missing_index_groups mssql:index:dm_db_missing_index_groups None
index sys.dm_db_missing_index_group_stats mssql:index:dm_db_missing_index_group_stats None
instance Built-in functions: SERVERPROPERTY, @@MAX_CONNECTIONS, db_name() mssql:instance Databases, Database (ITSI)
instance Built-in functions: SERVERPROPERTY, db_name(), @@TOTAL_READ, @@TOTAL_WRITE, @@TOTAL_ERRORS mssql:instancestats Databases
instance sys.processes mssql:processes None
instance sys.databases mssql:databases Databases
mirroring sys.dm_db_mirroring_connections mssql:mirroring:dm_db_mirroring_connections None
mirroring sys.dm_db_mirroring_auto_page_repair mssql:mirroring:dm_db_mirroring_auto_page_repair None
OS sys.dm_os_sys_info mssql:os:dm_os_sys_info Databases; Performance
OS sys.dm_os_performance_counters mssql:os:dm_os_performance_counters Database (ITSI)
OS sys.dm_os_windows_info mssql:os:dm_os_windows_info None
OS sys.dm_os_buffer_descriptors mssql:os:dm_os_buffer_descriptors None
replication sys.dm_repl_articles mssql:replication:dm_repl_articles None
replication sys.dm_repl_tranhash mssql:replication:dm_repl_tranhash None
replication sys.dm_repl_schemas mssql:replication:dm_repl_schemas None
replication sys.dm_repl_traninfo mssql:replication:dm_repl_traninfo None
transaction sys.dm_tran_locks mssql:transaction:dm_tran_locks Databases
transaction sys.dm_tran_active_snapshot_database_transactions mssql:transaction:dm_tran_active_snapshot_database_transactions None
transaction sys.dm_tran_current_snapshot mssql:transaction:dm_tran_current_snapshot None
transaction sys.dm_tran_database_transactions mssql:transaction:dm_tran_database_transactions None
transaction sys.dm_tran_session_transactions mssql:transaction:dm_tran_session_transactions None
transaction sys.dm_tran_transactions_snapshot mssql:transaction:dm_tran_transactions_snapshot None
transaction sys.dm_tran_active_transactions mssql:transaction:dm_tran_active_transactions None
transaction sys.dm_tran_current_transaction mssql:transaction:dm_tran_current_transaction None
transaction sys.dm_tran_top_version_generators mssql:transaction:dm_tran_top_version_generators None
transaction sys.dm_tran_version_store mssql:transaction:dm_tran_version_store None
Other sys.tables mssql:table Database (ITSI)
Other sys.database_principals mssql:user Database (ITSI)

Trace and audit logs

Log Log Format Description Source type CIM data models
Trace log Binary Default trace provides troubleshooting support. You can open default trace logs with SQL Server Profiler or query them with Transact-SQL by using the fn_trace_gettable system function. This add-on uses the fn_trace_gettable system function through DB Connect. See https://learn.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-trace-gettable-transact-sql?view=sql-server-ver17&redirectedfrom=MSDN mssql:trclog None
Audit log Binary SQL Server audit lets you create server audits for server-level, database-level, and table-level events. See Create audit objects in Microsoft SQL Server for more information. Audit logs can be read by the sys.fn_get_audit_file system function. See https://learn.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-get-audit-file-transact-sql?view=sql-server-ver17&redirectedfrom=MSDN&tabs=sqlserver. This add-on uses the sys.fn_get_audit_file function through DB Connect. mssql:audit None