Source types for the Splunk Add-on for Oracle Database

The Splunk Add-on for Oracle Database collects different logs and events from different sources in Oracle Database Server. The add-on assigns different source types for each different log or event source.

There are two major groups of source types for the Splunk Add-on for Oracle Database. Each group depends on how events are collected:

• Collected through file monitoring (based on log files)

• Collected through Splunk DB Connect (based on database entries)

Log file source types

Many Oracle log files offer the option of a plain text format or an XML format. You can choose to configure the logs in either of these formats because this add-on supports field extractions for both formats. In general, XML-formatted logs have more verbose information and are easier to parse, but may occupy more OS disk space.

You can customize the location and name of most log files in Oracle. The table below provides the default location for each log file and a query that you can run in case the location has changed.

More information about the different log and event data supported by this add-on is available below the table.

Note

All listed source types based on log files are for Oracle Versions 19c/21c/23ai

Log/ Event	Log Format	Source Type	Default File Location	CIM Data Model
Audit Log	Plain text	oracle:audit:text (DEPRECATED)	$ORACLE_BASE/admin/$ORACLE_SID/adump/*.aud Query this location by issuing show parameter AUDIT_FILE_DEST;	Authentication, Databases, Change
	XML	oracle:audit:xml (DEPRECATED)	$ORACLE_BASE/admin/$ORACLE_SID/adump/*.xml Query this location by issuing show parameter AUDIT_FILE_DEST;	Databases, Authentication, Change
Alert Log	Plain text	oracle:alert:text	$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ trace/alert_$ORACLE_SID.log Query this location by issuing select value from v$diag_info where name = 'Diag Trace';	N/A
	XML	oracle:alert:xml	$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ alert/log.xml Query this location by issuing select value from v$diag_info where name = 'Diag Alert';	N/A
Listener Log	Plain text	oracle:listener:text	$ORACLE_BASE/product/db_1/network/log/listener.log For 21c: $ORACLE_BASE/diag/tnslsnr/$HOST_NAME/listener/trace/listener.log Query this location by running lsnrctl status	N/A
	XML	oracle:listener:xml	$ORACLE_BASE/diag/tnslsnr/$HOST_NAME/listener/ alert/log.xml Query this location by running lsnrctl status	N/A
Incident log	Plain text	oracle:incident	$ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/ incident/*/*.trc Query this location by issuing select value from v$diag_info where name = 'Diag Incident';	N/A
Trace log	Plain text	oracle:trace	For 10g: $ORACLE_HOME/admin/$ORACLE_SID/ udump/*.trc For 11g/12c: $ORACLE_HOME/diag/rdbms/$ORACLE_SID/ $ORACLE_SID/trace For 21c: $ORACLE_BASE/homes/OraDB21Home1/rdbms/log/*.trc Query this location by issuing show parameter USER_DUMP_DEST;	N/A

Note

The sourcetypes “oracle:audit:text” and “oracle:audit:xml” has been deprecated from add-on v4.2.0 onwards. Please use “oracle:audit:unified” sourcetype instead.

Database entry source types

Collect the following metrics using Splunk DB Connect.

The source types are based on specific database tables or views to get essential type of data (eg. V$SESSION or DBA_TABLESPACES to get session or tablespace information). Additional tables or views may be involved to collect more detail information (eg. beside V$SESSION, V$INSTANCE to build oracle:session events) or for other reasons (eg. DUAL for oracle:sga).

Date columns or current date (index time) can be used to define event timestamp.

Tables/views that contain data for current state are used to collect data in batches. Events from tables/views that contain historical or dynamic data are collected in rising mode. Date columns are used to define checkpoint for incremental load.

Object	Oracle Version	Source Type	Tables/Views	Time	Mode	CIM Data Model
Database	19c/21c/23ai	oracle:database	V$DATABASE	current	batch	Databases
Instance	19c/21c/23ai	oracle:instance	V$INSTANCE NLS_DATABASE_PARAMETERS	current	batch	Databases
Session	19c/21c/23ai	oracle:session	V$SESSION V$INSTANCE	current	batch	Databases
Tablespace	19c/21c/23ai	oracle:tablespace	DBA_TABLESPACES	current	batch	N/A
Tablespace Metrics	19c/21c/23ai	oracle:tablespaceMetrics	V$TEMP_SPACE_HEADER V$TEMP_EXTENT_POOL DBA_TEMP_FILES DBA_FREE_SPACE DBA_DATA_FILES	current	batch	Databases
System Global Area (SGA)	19c/21c/23ai	oracle:sga	V$SGA V$SGASTAT V$PGASTAT DUAL	current	batch	Databases
Cache	19c/21c/23ai	oracle:libraryCachePerf	V$LIBRARYCACHE	current	batch	N/A
I/O performance	19c/21c/23ai	oracle:dbFileIoPerf	V$FILESTAT V$TEMPFILE V$DATAFILE	current	batch	N/A
Host performance	19c/21c/23ai	oracle:osPerf	V$OSSTAT	current	batch	N/A
System performance	19c/21c/23ai	oracle:sysPerf	V$SYSMETRIC_HISTORY V$INSTANCE	current	rising by V$SYSMETRIC_HISTORY.END_TIME	Databases
Connections performance	19c/21c/23ai	oracle:connections	V$SESSION V$INSTANCE	current	batch	Databases
Connections pool performance	19c/21c/23ai	oracle:pool:connections	DBA_CPOOL_INFO V$INSTANCE	current	batch	Databases
Table	19c/21c/23ai	oracle:table	ALL_TABLES ALL_TAB_MODIFICATIONS DBA_SEGMENTS V$INSTANCE	current	batch	Databases
Database size	19c/21c/23ai	oracle:database:size	V$DATAFILE V$INSTANCE	current	batch	Databases
User	19c/21c/23ai	oracle:user	ALL_USERS V$INSTANCE	current	batch	Databases
Queries performance	19c/21c/23ai	oracle:query	V$SQLAREA ALL_USERS V$INSTANCE	current	batch	Databases
Unified Auditing Log	19c/21c/23ai	oracle:audit:unified	UNIFIED_AUDIT_TRAIL ALL_TAB_COLUMNS	UNIFIED_AUDIT_TRAIL.EVENT_TIMESTAMP_UTC	rising by UNIFIED_AUDIT_TRAIL.EVENT_TIMESTAMP_UTC	Authentication, Change
SQL Monitor	19c/21c/23ai	oracle:sqlMonitor	V$SQL_MONITOR V$SQL_PLAN_MONITOR V$SQLAREA DBA_HIST_ACTIVE_SESS_HISTORY V$INSTANCE V$DATABASE V$VERSION	V$SQL_MONITOR.SQL_EXEC_START	rising by V$SQL_MONITOR.SQL_EXEC_START	Databases
Connections pool statistics	19c/21c/23ai	oracle:connections:poolStats	V$INSTANCE DBA_CPOOL_INFO V$CPOOL_STATS V$VERSION	current	batch	Databases