https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340872#M5211 <P>I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data</P> <P>search (alert type is real-time,use admin permission):<BR /> <CODE>index=attackinfo|field _time src_ip dst_ip result system</CODE></P> <P>1、save as an alert , add <CODE>DBX output alert action</CODE> trigger action<BR /> OR<BR /> 2、add <CODE>|dbxoutput output="outputAttackinfoToLiveMap"</CODE> at the end of search</P> <P>When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL</P> <P>why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression, </P> <P><CODE>-1m@m</CODE> <CODE>@m</CODE> <CODE>*/1 * * * *</CODE> </P> <P>but still so</P> Tue, 13 Mar 2018 11:57:14 GMT xsstest 2018-03-13T11:57:14Z https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340872#M5211 <P>I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data</P> <P>search (alert type is real-time,use admin permission):<BR /> <CODE>index=attackinfo|field _time src_ip dst_ip result system</CODE></P> <P>1、save as an alert , add <CODE>DBX output alert action</CODE> trigger action<BR /> OR<BR /> 2、add <CODE>|dbxoutput output="outputAttackinfoToLiveMap"</CODE> at the end of search</P> <P>When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL</P> <P>why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression, </P> <P><CODE>-1m@m</CODE> <CODE>@m</CODE> <CODE>*/1 * * * *</CODE> </P> <P>but still so</P> Tue, 13 Mar 2018 11:57:14 GMT https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340872#M5211 xsstest 2018-03-13T11:57:14Z https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340873#M5212 <P>Hi,</P> <P>I am not sure, but as per doc :<BR /> DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.</P> <P>Also, can you tell me database output setting you configured? Refer this doc:<BR /> <A href="http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs">http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs</A></P> Tue, 13 Mar 2018 12:13:48 GMT https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340873#M5212 p_gurav 2018-03-13T12:13:48Z https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340874#M5213 <P>hi, @p_gurav</P> <P>not support running scheduled task.</P> <P>When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.<BR /> Do you mean scheduled task that refer to this option?</P> Tue, 13 Mar 2018 12:57:39 GMT https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340874#M5213 xsstest 2018-03-13T12:57:39Z https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340875#M5214 <P>Ok. can you share database output you created?</P> Tue, 13 Mar 2018 13:02:05 GMT https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340875#M5214 p_gurav 2018-03-13T13:02:05Z https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340876#M5215 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/85706">@p_gurav</a><BR /> <CODE><BR /> [outputAttackinfoToLiveMap]<BR /> connection = Connection_LiveMap<BR /> customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12<BR /> disabled=0<BR /> interval=* * * * * ?<BR /> is_saved_search = 0<BR /> query_timeout=<BR /> scheduled = 0<BR /> search = index=attackinfo|field _time src_ip dst_ip result system<BR /> table_name = `livemap`.`attack_log`<BR /> ui_query_catalog = livemap<BR /> ui_query_table = attack_log<BR /> using_upsert=0<BR /> </CODE></P> <P>This is what I entered manually,Because I can't copy information from the intranet</P> Tue, 29 Sep 2020 18:29:08 GMT https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340876#M5215 xsstest 2020-09-29T18:29:08Z https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340877#M5216 <P>The question still not resolved, and no one knows why?</P> Thu, 22 Mar 2018 15:26:55 GMT https://community.splunk.com/t5/Splunk-Dev/why-db-connect-can-t-output-result-to-MySQL-database/m-p/340877#M5216 xsstest 2018-03-22T15:26:55Z