All Apps and Add-ons

DB Connect Input Preview displays data but after save Find Events has NO results

Path Finder

I have a SQL View as my Source, The Preview displays the records correctly.
However when saving the New Input there are no results.
Are their specific settings in the "Set Parameters" or "Metadata" that can cause t his ?
I have tried both options of timestamp being a column or Index time.
I have created a new Index and this still makes no difference.

What am I doing wrong ?

0 Karma

Path Finder

I think I discovered the problem. Seems that the volume of data was the problem. By reducing the data volume as a test and amending the settings of storage for the Index made this work. The Index didn't seem to have enough space to store any events so wasn't out putting any results.

0 Karma


What is your db connect version? Are you using batch or tailing? If batch, is the first schedule run completed? Also when searching in index try searching for all time as data can go to past date due to date formats messup.

0 Karma

Path Finder

I'm using the latest version which is version 3. It was downloaded and installed within the last 30 days.

I'm not following your questions but here's the section that I'm referring to;
I'm creating a NEW database input and it's connected to a SQL server which it can preview the data absolutely fine within the 2-section Choose and Preview Data Window and can successfully view the SQL table selected.
The next two sections are 3- Set Parameters then 4 of 4 is Metadata.
I click Save and it saves my data input.
According to the document link above I should then be able to go to that new data input select "Find Events" to view the data. All time is selected and it shows me a message of NO RESULTS.....
But on using the Preview it shows all the Data.
This seems very odd it's not returning any data after the input is saved.

0 Karma

Super Champion

do you have a timestamp configured in the parameters?

the way i have parameters set out in one of my inputs is the max rows is 10000000, timestamp is current index time because my input has no time field to use, and my execution frequency is 0 7 1 * *

for my metadata, my host is my main host name, and my source, sourcetype and index are all named the same, as i created an entirely new index for this input.

what configurations do you have set?

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...