All Apps and Add-ons

DB Connect Input Preview displays data but after save Find Events has NO results

EmEdwards
Path Finder

I have a SQL View as my Source, The Preview displays the records correctly.
However when saving the New Input there are no results.
Are their specific settings in the "Set Parameters" or "Metadata" that can cause t his ?
I have tried both options of timestamp being a column or Index time.
I have created a new Index and this still makes no difference.

What am I doing wrong ?

0 Karma

EmEdwards
Path Finder

I think I discovered the problem. Seems that the volume of data was the problem. By reducing the data volume as a test and amending the settings of storage for the Index made this work. The Index didn't seem to have enough space to store any events so wasn't out putting any results.

0 Karma

newbie2tech
Communicator

What is your db connect version? Are you using batch or tailing? If batch, is the first schedule run completed? Also when searching in index try searching for all time as data can go to past date due to date formats messup.

0 Karma

EmEdwards
Path Finder

I'm using the latest version which is version 3. It was downloaded and installed within the last 30 days.

I'm not following your questions but here's the section that I'm referring to;
http://docs.splunk.com/Documentation/DBX/3.0.0/DeployDBX/Createandmanagedatabaseinputs
I'm creating a NEW database input and it's connected to a SQL server which it can preview the data absolutely fine within the 2-section Choose and Preview Data Window and can successfully view the SQL table selected.
The next two sections are 3- Set Parameters then 4 of 4 is Metadata.
I click Save and it saves my data input.
According to the document link above I should then be able to go to that new data input select "Find Events" to view the data. All time is selected and it shows me a message of NO RESULTS.....
But on using the Preview it shows all the Data.
This seems very odd it's not returning any data after the input is saved.

0 Karma

cmerriman
Super Champion

do you have a timestamp configured in the parameters?

the way i have parameters set out in one of my inputs is the max rows is 10000000, timestamp is current index time because my input has no time field to use, and my execution frequency is 0 7 1 * *

for my metadata, my host is my main host name, and my source, sourcetype and index are all named the same, as i created an entirely new index for this input.

what configurations do you have set?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...