All Apps and Add-ons

DB Connect Input Preview displays data but after save Find Events has NO results

EmEdwards
Path Finder

I have a SQL View as my Source, The Preview displays the records correctly.
However when saving the New Input there are no results.
Are their specific settings in the "Set Parameters" or "Metadata" that can cause t his ?
I have tried both options of timestamp being a column or Index time.
I have created a new Index and this still makes no difference.

What am I doing wrong ?

0 Karma

EmEdwards
Path Finder

I think I discovered the problem. Seems that the volume of data was the problem. By reducing the data volume as a test and amending the settings of storage for the Index made this work. The Index didn't seem to have enough space to store any events so wasn't out putting any results.

0 Karma

newbie2tech
Communicator

What is your db connect version? Are you using batch or tailing? If batch, is the first schedule run completed? Also when searching in index try searching for all time as data can go to past date due to date formats messup.

0 Karma

EmEdwards
Path Finder

I'm using the latest version which is version 3. It was downloaded and installed within the last 30 days.

I'm not following your questions but here's the section that I'm referring to;
http://docs.splunk.com/Documentation/DBX/3.0.0/DeployDBX/Createandmanagedatabaseinputs
I'm creating a NEW database input and it's connected to a SQL server which it can preview the data absolutely fine within the 2-section Choose and Preview Data Window and can successfully view the SQL table selected.
The next two sections are 3- Set Parameters then 4 of 4 is Metadata.
I click Save and it saves my data input.
According to the document link above I should then be able to go to that new data input select "Find Events" to view the data. All time is selected and it shows me a message of NO RESULTS.....
But on using the Preview it shows all the Data.
This seems very odd it's not returning any data after the input is saved.

0 Karma

cmerriman
Super Champion

do you have a timestamp configured in the parameters?

the way i have parameters set out in one of my inputs is the max rows is 10000000, timestamp is current index time because my input has no time field to use, and my execution frequency is 0 7 1 * *

for my metadata, my host is my main host name, and my source, sourcetype and index are all named the same, as i created an entirely new index for this input.

what configurations do you have set?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...