All Apps and Add-ons

DBのInputTypeに関する仕様について About the specifications about DB InputType

New Member

Splunk Version 7.1.0
Splunk Build 2e75b3406c5b

SplunkのDB DatLabにて、Inputを作成する際、SettingにてInputTypeが選択できます。
①Batch
②Rising
があり、それぞれの意味は以下の認識です。

①Batch Input…毎回同じクエリをデータベースに投げる。どのレコードまで読み込んだのかを考慮せず全データを毎回取得。その場合、Splunkでは前回読み込んだデータを残しつつ、新たに読み込んだデータを追加インデックスする。

②Rising Column…どのレコードまで読み込んだかをSplunk側で記録して、次の読み込みタイミングで続きから読み込めるように設定。データが都度INSERTされるテーブルをインデックスする場合に適している。

現状、年間や月間の問い合わせ数をBatchとRising両方でInputを作成し、サーチしたところ、
Batchの場合はサーチの度にリアルタイムの件数を取得し、RisingのほうはCheckPointを時分秒まで指定しているにも関わらず、前日のデータしか取得できません。

Q1:BatchとRisingの仕様について記載されているURLをご存知でしたら教えてください。
Q2:リアルタイムで問合せ件数の全件を毎回取得したい場合、Batchモードでの取得で良いでしょうか。

English translation:

Splunk Version 7.1.0
Splunk Build 2e75b3406c5b

When creating an input in DB DatLab of Splunk, you can select InputType in Setting.
1Batch
2Rising
There are, the meaning of each is the following recognition.

1Batch Input ... Each time the same query is thrown to the database. All data is acquired every time without considering which record has been read. In that case, Splunk adds data to the newly read data while leaving the previously read data.

2Rising Column ... Splunk records which record has been read, and sets it so that it can be read from the next read timing. It is suitable for indexing a table where data is inserted each time.

At present, I created and searched Input for both Batch and Rising for the number of queries for the year and month,
In the case of Batch, it acquires the number of real-time each time of search, and Rising can acquire only the data of the previous day even though CheckPoint is specified up to hour, minute and second.

Q1: Please let me know if you know the URL for the Batch and Rising specifications.
Q2: If you want to get the whole number of queries in real time every time, is it good to get in Batch mode?

0 Karma

Motivator

@bigginer

I think the below link will help you:

https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Createandmanagedatabaseinputs

And also for you 2nd question, i didn't get the whole queries thing? The best way to try to upload the data to splunk using rising column, whenever new entry in the database, it will get indexed, and then you can do whatever condition or transformation you want to do. As in batch mode is for one time indexing, otherwise it will consume lot of license.

other way is to directly call the query to show result in Splunk search screen: |dbxquery connection=<connection_name> query=<query?

0 Karma