All Apps and Add-ons

DBのInputTypeに関する仕様について About the specifications about DB InputType

New Member

Splunk Version 7.1.0
Splunk Build 2e75b3406c5b

SplunkのDB DatLabにて、Inputを作成する際、SettingにてInputTypeが選択できます。

①Batch Input…毎回同じクエリをデータベースに投げる。どのレコードまで読み込んだのかを考慮せず全データを毎回取得。その場合、Splunkでは前回読み込んだデータを残しつつ、新たに読み込んだデータを追加インデックスする。

②Rising Column…どのレコードまで読み込んだかをSplunk側で記録して、次の読み込みタイミングで続きから読み込めるように設定。データが都度INSERTされるテーブルをインデックスする場合に適している。



English translation:

Splunk Version 7.1.0
Splunk Build 2e75b3406c5b

When creating an input in DB DatLab of Splunk, you can select InputType in Setting.
There are, the meaning of each is the following recognition.

1Batch Input ... Each time the same query is thrown to the database. All data is acquired every time without considering which record has been read. In that case, Splunk adds data to the newly read data while leaving the previously read data.

2Rising Column ... Splunk records which record has been read, and sets it so that it can be read from the next read timing. It is suitable for indexing a table where data is inserted each time.

At present, I created and searched Input for both Batch and Rising for the number of queries for the year and month,
In the case of Batch, it acquires the number of real-time each time of search, and Rising can acquire only the data of the previous day even though CheckPoint is specified up to hour, minute and second.

Q1: Please let me know if you know the URL for the Batch and Rising specifications.
Q2: If you want to get the whole number of queries in real time every time, is it good to get in Batch mode?

0 Karma



I think the below link will help you:

And also for you 2nd question, i didn't get the whole queries thing? The best way to try to upload the data to splunk using rising column, whenever new entry in the database, it will get indexed, and then you can do whatever condition or transformation you want to do. As in batch mode is for one time indexing, otherwise it will consume lot of license.

other way is to directly call the query to show result in Splunk search screen: |dbxquery connection=<connection_name> query=<query?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...