All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After upgrading from Splunk DB Connect 1 to version 2, I set up a dbinput, but why does the status change from Enabled to Disabled?

Amohlmann
Communicator
‎05-17-2016 12:16 AM

I am attempting to upgrade from Splunk DB Connect v1 to v2, but running into a problem with my first ever input.

Everything looks fine and is set up. Marked as a Valid Connection, and I can save it, but about 1 min later, the status will change from Enabled to Disabled.
Looking at the errors, I see that the function "py_dbinfo:get_catalogs" goes into an error state whenever this happens.

I can query the database fine from within the app. When setting up the input, it shows me the first 100 lines fine. Just seems to error for just about no reason that I can see.

Thanks,
Andrew

Reply

VidhyaSenapati
New Member
‎04-25-2018 10:52 PM

I am facing the same problem, but not with all the data inputs. If the data input is created with input type=tail then it is facing some problem. Should i check with the query or can i proceed with changing the input.conf files. ,I am facing the same problem, but not with all the data inputs. If i am duplication a data input with input type=tail. Should i try and change the query accordingly or is there any other solution!!

0 Karma
Reply

varad_joshi
Communicator
‎10-04-2016 02:24 AM

Further to what @jtrujillo said.

Search for db inputs which are getting disabled using the query:

index=_internal sourcetype=dbx2 action=auto_disable_modular_input_due_to_maximum_failed_retries

Once you have the db inputs, go to inputs.conf file and check for those 2 db inputs:

You'll have to change following parameter to ensure its not getting auto disabled.

auto_disable = (true|false)

optional, default is true

If set to true, it would disable this dbinput after max_retries of failed attempts

If you really want, you can change this setting as well.

max_retries =

optional, default number is 6

The max number of failed attemps to execute dbinput before it get disabled

Reply

jtrujillo
Path Finder
‎05-17-2016 12:21 PM

Do the following:

index=_internal sourcetype=dbx2 CRITICAL | top action

And i am betting that you will be getting some sort of error about your data.... I am troubleshooting the same thing right now.

For some reason a dbx2 upgrade (2.2.0) is no longer using my epoch timestamps correctly..... its truncating them in a very weird way....

Just as an FYI you will see that your connection is being disabled automatically using the following search

index=_internal sourcetype=dbx2 action=auto_disable_modular_input_due_to_maximum_failed_retries
Reply

varad_joshi
Communicator
‎10-04-2016 01:35 AM

This indeed helpful.
How do we stop the connection getting disabled though?

0 Karma
Reply

davebrooking
Contributor
‎10-04-2016 01:58 AM

The troubleshooting section of the DB Connect documentation, contains an entry "Database inputs are getting disabled"

Dave

Reply

Amohlmann
Communicator
‎05-17-2016 06:19 PM

Thank you, this is giving me much more to work with.

0 Karma
Reply

davidatpinger
Path Finder
‎09-19-2016 11:42 AM

I've got a SQL server that keeps cutting out for various reasons. The second of jtrujillo's queries above is easily turned into an alert that can tell you when an input has been disabled when something like that occurs. Very helpful!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...