topic Re: DB Connect Tail Command not updating in Splunk Search

DB Connect Tail Command not updating

knewter — Mon, 28 Sep 2020 14:09:05 GMT

I am using a tail db command to pull events from a Oracle database every hour. I was able to pull in all of the data the first time it ran but I haven't received any new events. When I looked at the log file I'm receiving the following error message:

2013-06-21 10:48:53.060 dbx5648:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 10:49:31.963 dbx9326:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 10:49:33.123 dbx4360:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:21:22.312 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://DB_Audit/DB_Audit_Tail]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://DB_Audit/DB_Audit_Tail
2013-06-21 11:23:16.671 dbx7573:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:23:18.714 dbx179:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:30:16.066 dbx5726:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:30:17.237 dbx373:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit

Any idea what this error is?

Thanks,

Re: DB Connect Tail Command not updating

ziegfried — Fri, 21 Jun 2013 17:27:59 GMT

The error suggests that there is no output.format in your database input stanza in inputs.conf. This setting is mandatory - you could try to update the input using the UI once and see if that resolves the problem.

Re: DB Connect Tail Command not updating

knewter — Fri, 21 Jun 2013 17:32:49 GMT

Strange when I look at the inputs.conf file it's there. Should I just re-save the config file ?

Re: DB Connect Tail Command not updating

ziegfried — Fri, 21 Jun 2013 17:34:42 GMT

That shouldn't be necessary. You can try to restart Splunk in order to force DB Connect to reload the config.

Re: DB Connect Tail Command not updating

knewter — Fri, 21 Jun 2013 22:27:32 GMT

I've restarted splunk but I'm still receiving the errors.

Re: DB Connect Tail Command not updating

ziegfried — Fri, 21 Jun 2013 23:54:33 GMT

What result do you get when you run the following command (assuming the splunk binary is in $PATH):

splunk cmd btool inputs list dbmon-tail://DB_Audit/DB_Audit_Tail --debug

Re: DB Connect Tail Command not updating

knewter — Sat, 22 Jun 2013 14:37:24 GMT

I ran the btool command earlier and it shows the output.format in there.
/opt/splunk/etc/apps/dbx/local/inputs.conf output.format = kv
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp = 1
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.column = created_on
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.format = MM/dd/yyyy HH:mm:ss.SSS
It's like Splunk doesn't see those lines. The strange thing is it was working a few days ago.

Re: DB Connect Tail Command not updating

rschutt — Mon, 28 Sep 2020 14:17:00 GMT

I'm having the same problem as "Knewter". The difference is that I'm trying to read data from MS-SQL. We also tried without the SQL-query, no output-timestamp and different output.formats, all with the same result. The output of "splunk cmd btool inputs list dbmon-tail shows that all settings in the stanza's are read by Splunk correctly.

Splunk-version=5.0.3

DB-connect-version=1.0.10

Environment=Server 2008 R2 Enterprise

Error-message in "dbx.log"

2013-07-09 10:46:12.200 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://xxxxxxx/xxxxxxx]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://xxxxxxx/xxxxxxx

SPLUNK_HOME\etc\apps\dbx\local\inputs.conf

[script://$SPLUNK_HOME\etc\apps\dbx\bin\jbridge_server.py]

disabled = 0

[batch://$SPLUNK_HOME\var\spool\dbmon*.dbmonevt]

crcSalt =

disabled = 0

move_policy = sinkhole

sourcetype = dbmon:spool

[dbmon-tail://xxxxxxx/xxxxxxx]

host = xxxxxxx

index = owa

interval = 300

output.format = kv

output.timestamp = 1

output.timestamp.column = logtime

query = select dbo.xxxxxxx(ClientIP), ClientUserName,logtime,uri from dbo.xxxxxxxxxxxx where ClientUserName
like '%LDAP%' and UrlDestHost LIKE '%mxs%'

sourcetype = OWA

tail.rising.column = logtime

table = dbo.xxxxxxxxxxxx

output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSS

Re: DB Connect Tail Command not updating

lukejadamec — Wed, 07 Aug 2013 01:38:49 GMT

You may need an output.timestamp.parse.format
This is from an old post: http://splunk-base.splunk.com/answers/71485/splunk-db-connect-timestamp-not-working

"The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once the timestamp was converted to text and both format filters were set to match the output, everything seemed to start working correctly."

Output.timestamp.parse.format is explained here: http://docs.splunk.com/Documentation/DBX/1.0.11/DeployDBX/inputsspec

You also need to watch out for conflicting input.conf files.