Skip to content

Overview

About the Splunk Add-on for MySQL

Component Description
Version 3.2.0
Vendor Products MySQL 8.0.25, 8.0.29, 8.0.41, 8.4.4, 9.2.0
Visible in Splunk Web No. This add-on does not contain any views.

The Splunk Add-on for MySQL allows a Splunk software administrator to collect general logs, error logs, and slow query logs from MySQL servers and performance and configuration logs from local or remote MySQL Databases. This add-on also allows the user to collect MySQL Enterprise audit logs from MySQL Enterprise Server. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Note

Splunk DB Connect version 3.5.1 or higher is required to manage database connectivity. You must install and configure it before you can use this add-on to collect performance and configuration logs from a MySQL Database.

Splunk DB Connect versions 3.5.1 and lower do not support Splunk DB Connect templates that use the SHOW statement in their queries. For more information, see Configure inputs for the Splunk Add-on for MySQL.

The Splunk Add-on for MySQL does not support versions 3.2.0 or earlier of Splunk DB Connect.

Release notes

For a summary of new features, fixed issues, and known issues, and for more information on release history, see Release notes for the Splunk Add-on for MySQL.

Compatibility

For detailed information about compatibility with other software, CIM versions, and platforms, see Release notes for the Splunk Add-on for MySQL.

Source types and lookups

For more information about the source types for Splunk Add-on for MySQL see Source types.

Download the add-on

Download the Splunk Add-on for MySQL from Splunkbase.

Install and configure the add-on

To install and configure the Splunk Add-on for Juniper, see Installation and configuration overview for the Splunk Add-on for MySQL.

Hardware and software requirements

For more information, see Hardware and software requirements.

Additional resources

Search the Splunk Community page for more information about this add-on.

See Troubleshooting guidelines specific for this add-on.

Release notes for the Splunk Add-on for MySQL

Version 3.2.0 of the Splunk Add-on for MySQL was released on .

Compatibility

Version 3.2.0 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 9.0.x, 9.1.x, 9.2.x, 9.3.x,9.4.x
CIM 6.0.3
ITSI 4.9.2
Platforms Windows and Linux
Vendor Products MySQL 8.0.25, 8.0.29, 8.0.41, 8.4.4, 9.2.0

New features

Version 3.2.0 of the Splunk Add-on for MySQL has the following new features.

  • Support for MySQL 8.0.44, 8.4.4 and 9.2.0.
  • Support for MySQL Enterprise Audit Logging
    • The customer can now collect audit logs from the MySQL audit logging from MySQL Enterprise
  • Support of latest CIM version - 6.0.3

Fixed issues

Version 3.2.0 of the Splunk Add-on for MySQL has the following fixed issues. If no issues appear, then none have been reported.

Known issues

Version 3.2.0 of the Splunk Add-on for MySQL has the following known issues. If no issues appear, then none have been reported.

Release history for the Splunk Add-on for MySQL

Latest version

The latest version of the Splunk Add-on for MySQL is version 3.2.0. See Release notes for the Splunk Add-on for MySQL for the release notes of this latest version.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for MySQL was released on July 18, 2022.

Compatibility

Version 3.1.0 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.1
ITSI 4.9.2
Platforms Windows and Linux
Vendor Products MySQL 5.7, 8.0.25, 8.0.29

New features

Version 3.1.0 of the Splunk Add-on for MySQL has the following new features.

  • Support for MySQL 8.0.29.
  • Support for CIM 5.0.1

Fixed issues

Version 3.1.0 of the Splunk Add-on for MySQL has the following fixed issues. If no issues appear, then none have been reported.

Known issues

Version 3.1.0 of the Splunk Add-on for MySQL has the following known issues. If no issues appear, then none have been reported.

Version 3.0.0

Version 3.0.0 of the Splunk Add-on for MySQL was released on August 12, 2021.

Compatibility

Version 3.0.0 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 8.1.x, 8.2.x
CIM 14.20.0
ITSI 4.9.2
Platforms Windows and Linux
Vendor Products MySQL 5.7, 8.0.25

New features

Version 3.0.0 of the Splunk Add-on for MySQL has the following new features.

  • Support for MySQL 8.0.25.
  • Removed support for MySQL 5.6.
  • Removed UI.
  • Removed automation around creating monitor stanzas.
  • Removed support for mysqlbinlog tool.
  • Removed support for mysqldiskusage tool.
  • Removed support for these source types:
    • mysql:errorLog:mysqld_safe
    • mysql:file_summary_by_instance
    • mysql:file_summary_by_event_name
    • mysql:hostSummary
    • mysql:events_waits_summary_global_by_event_name
    • mysql:events_waits_summary_by_user_by_event_name
    • mysql:events_statements_summary_by_user_by_event_name
    • mysql:events_statements_summary_by_host_by_event_name
    • mysql:events_statements_summary_by_digest
    • mysql:statementsWithRuntimesIn95Percentile
    • mysql:ioByThreadByLatency
    • mysql:userSummary
    • mysql:table_io_waits_summary_by_index_usage
    • mysql:schemaTableStatsBuffer
    • mysql:tableStatsBuffer
    • mysql:diskUsage
    • mysql:binLog

Fixed issues

Version 3.0.0 of the Splunk Add-on for MySQL has the following fixed issues. If no issues appear, then none have been reported.

Known issues

Version 3.0.0 of the Splunk Add-on for MySQL has the following known issues. If no issues appear, then none have been reported.

Version 2.0.2

Compatibility

Version 2.0.2 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.14
Platforms Windows and Linux
Vendor Products MySQL 5.6, 5.7

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.2 of the Splunk Add-on for MySQL has the following new features.

  • Default support for Python3
  • Enhanced python library structure

Fixed issues

Version 2.0.2 of the Splunk Add-on for MySQL has the following fixed issues. If no issues appear, then none have been reported.

Known issues

Version 2.0.2 of the Splunk Add-on for MySQL has the following known issues. If no issues appear, then none have been reported.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for MySQL was released on March 10, 2020.

Compatibility

Version 2.0.1 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM 4.14
Platforms Windows and Linux
Vendor Products MySQL 5.6, 5.7

New features

Version 2.0.1 of the Splunk Add-on for MySQL has the following new features.

  • Default support for Python3

Fixed issues

Version 2.0.1 of the Splunk Add-on for MySQL has the following fixed issues. If no issues appear, then none have been reported.

Known issues

Version 2.0.1 of the Splunk Add-on for MySQL has the following known issues. If no issues appear, then none have been reported.

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for MySQL was released on January 24, 2020.

Compatibility

Version 2.0.0 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.14
Platforms Windows and Linux
Vendor Products MySQL 5.6, 5.7

New features

Version 2.0.0 of the Splunk Add-on for MySQL has the following new features.

  • Support for Python3
  • Support for Splunk DB Connect 3

Fixed issues

Version 2.0.0 of the Splunk Add-on for MySQL has the following fixed issues. If no issues appear, then none have been reported.

Known issues

Version 2.0.0 of the Splunk Add-on for MySQL has the following known issues. If no issues appear, then none have been reported.

Version 1.1.0

Compatibility

Version 1.1.0 of the Splunk Add-on for MySQL is compatible with the following software, CIM versions, and platforms.

Component Description
Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Windows and Linux
Vendor Products MySQL 5.6, 5.7

New features

Version 1.1.0 of the Splunk Add-on for MySQL has the following new features.

  • Updated add-on to support ITSI integration. Added new source types and provide mapping to the ITSI Database module.

Fixed issues

Version 1.1.0 of the Splunk Add-on for MySQL has the following fixed issues.

Known issues

Version 1.1.0 of the Splunk Add-on for MySQL has the following known issues.

Note

Versions 3.0.3 and earlier of Splunk DB Connect do not support a new installation of the Splunk Add-on for MySQL. To configure inputs using versions 3.0.3 and earlier of Splunk DB Connect, see Use the Splunk DB Connect GUI to configure your database inputs for details.

Version 1.0.0

Compatibility

Version 1.0.0 of the Splunk Add-on for MySQL has the same compatibility specifications as version 1.1.0.

New features

Version 1.0.0 of the Splunk Add-on for MySQL has the following new features.

  • New add-on providing inputs and CIM normalization for MySQL. |

Known issues

Version 1.0.0 of the Splunk Add-on for MySQL has the following known issue.

Third-party software attributions

The latest version of Splunk Add-on for MySQL use third party software components. For more details, see Third-party credits.

Hardware and software requirements for the Splunk Add-on for MySQL

Enable MySQL logs

You must enable the following MySQL logs.If you don’t enable any of the logs, you won’t collect them. See the following instructions for information:

Version 5.7

Version 8.0.x

Version 8.4.x

Version 9.2.x

Splunk DB Connect

You must have Splunk DB Connect installed to your heavy forwarders to collect MySQL performance and configuration logs with this add-on. The Splunk Add-on for MySQL works with DB Connect versions 3.5.1 and later. See Deploy and Use Splunk DB Connect in the Splunk DB Connect manual for information.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

  • For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual.
  • If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Installation overview for the Splunk Add-on for MySQL

Install and configure this add-on on your supported platform.

  1. Download the add-on from Splunkbase.

  2. Determine where and how to install this add-on in your deployment, using the tables in the following section.

  3. Install the Splunk Add-on for MySQL.

  4. Configure inputs for the Splunk Add-on for MySQL.

Ended: Overview

Installation

Installation instructions

See Installing add-on in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Comments
Search Heads Yes Yes Install this add-on to all search heads where MySQL knowledge management is required.
Indexers Yes Conditional Not required if you use heavy forwarders to monitor MySQL log files directly on MySQL machines. This is required if you use universal or light forwarders for monitor inputs.
Heavy Forwarders Yes Supported for monitor inputs only. Forwarder needs to be installed directly on the MySQL server for file monitoring of local logs. The forwarder doing the data collection needs to be installed directly on the MySQL server for file monitoring of local logs.
Universal Forwarders Yes No Supported for monitor inputs only. Forwarder needs to be installed directly on the MySQL server for file monitoring of local logs.
Light Forwarders No No This add-on does not support light forwarders because Splunk recommends using the Splunk Web user interface to perform the setup and authentication with MySQL.

Distributed deployment feature compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes
Indexer Clusters Yes
Deployment Server Conditional Supported for deploying the configured add-on to multiple forwarders for local data collection using file monitoring. Not supported for DB Connect inputs.

Migrate Splunk add-on for MySQL version 3.0.0 to 3.1.0

There are no additional steps required to upgrade the Splunk Addon for MySQL from v3.0.0 to v3.1.0. If you want to use the file monitoring feature, see how to Monitor Files and Directories with Splunk Web.

Migrate Splunk add-on for MySQL version 2.0.2 to 3.0..0

The Splunk Add-on for MySQL version 3.0.0 no longer supports automation for input creation in DB Connect. This only affects the automation for new servers, but all currently created inputs (whether they were created by automation or otherwise) in DB Connect will remain. If you want to use the file monitoring feature, see how to Monitor Files and Directories with Splunk Web.

We no longer support these source types:

  • mysql:errorLog:mysqld_safe
  • mysql:file_summary_by_instance
  • mysql:file_summary_by_event_name
  • mysql:hostSummary
  • mysql:events_waits_summary_global_by_event_name
  • mysql:events_waits_summary_by_user_by_event_name
  • mysql:events_statements_summary_by_user_by_event_name
  • mysql:events_statements_summary_by_host_by_event_name
  • mysql:events_statements_summary_by_digest
  • mysql:statementsWithRuntimesIn95Percentile
  • mysql:ioByThreadByLatency
  • mysql:userSummary
  • mysql:table_io_waits_summary_by_index_usage
  • mysql:schemaTableStatsBuffer
  • mysql:tableStatsBuffer
  • mysql:diskUsage
  • mysql:binLog

Inputs from previous versions of the Splunk add-on for MySQL will continue to work as designed. Both CIM mappings and extractions will work as expected. Splunk best practice is to add the new inputs as then they will be properly extracted.

Ended: Installation

Configuration

Configure inputs for the Splunk Add-on for MySQL

To gather data from MySQL, the Splunk Add-on for MySQL leverages Splunk DB Connect.

Configure Splunk DBConnect for MySQL

Perform procedures on this page to configure Splunk DB Connect for MySQL.

Configure Splunk DB Connect settings

  1. In Splunk DB Connect, go to Configuration tab, and then Settings tab.
  2. On General settings page, set the Java Runtime Environment (JRE) path and Task Server settings.
  3. Restart the Task Server Java process by saving settings.
  4. For detailed steps, see Splunk DB Connect Settings.

Download and install MySQL JDBC Driver

  1. Download the MySQL JDBC driver here: https://dev.mysql.com/downloads/connector/j/.
  2. Place the following driver file mysql-connector-java*.jar in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers/ or install the Splunk DBX Addon for MySQL JDBC to automate driver installation.
  3. Reload the driver under Configuration > Settings > Drivers to ensure the driver is enabled.
  4. For detailed steps see MySQL JDBC Driver Download.

Create and manage identities

  1. In Splunk DB Connect, navigate to Configuration > Databases > Identities and select New Identity > Username & Password.
  2. Enter the identity name, username, and password, ensuring the user has the appropriate database access.
  3. Go to Permissions tab and configure permissions for the identity, then select Save.
  4. For detailed steps, see Create and manage identities.

Create a database connection

Create a database connection to the MySQL using the Splunk DB Connect GUI:

  1. Go to Configuration > Databases > Connections and select New Connection.

  2. On the Settings tab, select the following options:

    a. From the Identity menu select an existing identity.

    b. From the Connection Type menu select MySQL

    c. Configure the timezone settings.

  3. If the MySQL driver is not installed, follow the instructions in the pop-up to install it.

  4. On the New Connection page, complete the following fields:

    • Connection name
    • Identity
    • Connection Type
    • Timezone
    • JDBC URL Settings

  5. For detailed guidance on setting up a new database connection using the GUI, see Create and manage database connections section of the Splunk DB Connect manual.

Configure the inputs using the Splunk DB Connect GUI

If you want to create MySQL database input, select the template created for ‘Splunk Add-on for MySQL under Template field of DB Connect.

Configure the inputs using the Splunk DB Connect v3.5.1 or lower

Note

For cloud environment, contact Splunk Cloud SRE.

  1. Configure the Splunk Add-on for MySQL, if you have not done so already.

  2. Copy the following text:

    [<input_name>]
batch_upload_size = 1000
connection = <connection>
description = Query all database instances in a MySQL box
disabled = 0
fetch_size = 300
index = <index>
index_time_mode = current
input_type = event
interval = 86400
max_rows = 0
mode = batch
query = show databases;
query_timeout = 30
sourcetype = mysql:database
template_name = mysql:database
source = <source>

[<input_name>]
batch_upload_size = 1000
connection = <connection>
description = Query innodb engine of the database
disabled = 0
fetch_size = 300
index = <index>
index_time_mode = current
input_type = event
interval = 120
max_rows = 0
mode = batch
tail_rising_column_number =
query = SHOW ENGINE INNODB STATUS;
query_timeout = 30
sourcetype = mysql:innodbStatus
template_name = mysql:innodbStatus
source = <source>

[<input_name>]
batch_upload_size = 1000
connection = <connection>
description = Query all of the current running process of the database
disabled = 0
fetch_size = 300
index = <index>
index_time_mode = current
input_type = event
interval = 120
max_rows = 0
mode = batch
tail_rising_column_number =
query = SHOW FULL PROCESSLIST;
query_timeout = 30
sourcetype = mysql:databaseProcess
template_name = mysql:databaseProcess
source = <source>

[<input_name>]
batch_upload_size = 1000
connection = <connection>
description = Query grant actions in the database
disabled = 0
fetch_size = 300
index = <index>
index_time_mode = current
input_type = event
interval = 300
max_rows = 0
mode = batch
tail_rising_column_number =
query = SHOW GRANTS;
query_timeout = 30
sourcetype = mysql:grants
template_name = mysql:grants
source = <source>

  3. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_mysql/local, and open db_inputs.conf.

  4. Paste your copied MySQL inputs to db_inputs.conf.
  5. For each of your mysql inputs, change each mention of <input\_name>, <connection>, <index> and <source> to appropriate values for each parameters.
  6. Save your changes.
  7. Restart your Splunk platform deployment.

Configure monitor inputs for the Splunk Add-on for MySQL

  1. Choose the Audit Log Format. Select the JSON format for the audit log files you want to monitor.
  2. Determine the full path to the audit log file. If the log files are stored in a non-default location, be sure to use the exact path in your configuration.
  3. Create the inputs.conf file. Navigate to the following directory and create an inputs.conf file if it does not already exist: $SPLUNK_HOME/etc/apps/Splunk_TA_mysql/local.

  4. Add a monitor stanza for each audit log file you want Splunk to ingest. Each stanza must specify the full path to the log file and set the appropriate sourcetype. Example configuration:

    [monitor://path_to_audit.log_file] sourcetype = mysql:audit <br>

    For example:

    [monitor://C:\ProgramData\MySQL\MySQL Server 9.2\Data\audit.log] <br> sourcetype = mysql:audit

Ended: Configuration

Troubleshooting

Troubleshoot the Splunk Add-on for MySQL

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshooting in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

To check for DB Connect errors, you can perform this search of the DB Connect internal logs:

index=_internal sourcetype=dbx* state=error

DB Connect does not collect data

If DB Connect doesn’t collect anything, make sure that you installed Splunk DB Connect, configured its java path, and installed the MySQL JDBC before doing the setup for the Splunk Add-on for MySQL.

Ended: Troubleshooting

Reference

Source types for the Splunk Add-on for MySQL

The Splunk Add-on for MySQL collects different events from different sources in MySQL Server. The add-on assigns different source types for each different log or event source.

There are two major groups of source types for the Splunk Add-on for MySQL. Each group depends on how events are collected:

  • Collected through Splunk DB Connect (based on database queries)
  • Collected through file monitoring (based on log files)

Log file source types

Data source Source type CIM Data Models
MySQL general log (file with general log content) mysql:generalQueryLog n/a
MySQL error log (file with error log content) mysql:errorLog n/a
MySQL Innodb status (regex matching Innodb status content from mysql:errorLog and redirecting to this source type) mysql:innodbStatus n/a
MySQL Slow Query Log (file with slow query log content) mysql:slowQueryLog Databases

Database entry source types

Data source Collection method Source type CIM or ITSI data models
Logs from innodb_buffer_page database table DB Connect mysql:innodb_buffer_page n/a
MySQL Innodb status DB Connect mysql:innodbStatus n/a
MySQL role/account permission grant DB Connect mysql:grants n/a
MySQL database threads/processes information DB Connect mysql:databaseProcess Databases
MySQL process information DB Connect mysql:processInfo Databases
MySQL system variables global settings DB Connect mysql:variables ITSI Database
MySQL users DB Connect mysql:user ITSI Database
Overall MySQL status DB Connect mysql:status n/a
MySQL schema objects DB Connect mysql:schemaObjectOverview n/a
Logs from database table DB Connect mysql:database Databases
MySQL logs from general_log database table DB Connect mysql:generalQueryLogDb ITSI Database
MySQL logs from slow_query database table DB Connect mysql:slowQueryLogDb Databases
MySQL table status DB Connect mysql:tableStatus ITSI Database
MySQL schema objects DB Connect mysql:instance:stats ITSI Database
MySQL transactions DB Connect mysql:transaction:stats ITSI Database
MySQL connections DB Connect mysql:connection:stats ITSI Database
MySQL error log DB Connect mysql:errorLogDb n/a
MySQL disk usage for all kinds of logs DB Connect mysql:diskUsageDb n/a
MySQL summaries by stages DB Connect mysql:userSummaryByStages n/a
Snapshot of which InnoDB locks transactions are waiting for DB Connect mysql:innodbLockWaits n/a
MySQL global grants DB Connect mysql:globalGrants n/a
MySQL events DB Connect mysql:events n/a
MySQL loaded components DB Connect mysql:components n/a
MySQL storage engines DB Connect mysql:engines n/a

Ended: Reference