All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DB Connect bug

scannon4
Communicator
‎01-30-2023 04:28 AM

I wanted to bring this issue to your attention.  We upgraded from 3.10.0 or DB Connect to 3.11.0 back on November 2022.  We use an external HEC destination for DB Connect to send its to before it gets to Splunk instead of the local/built-in DB Connect destination (and have been for over a year).  There seems to be a bug sending to an external HEC destination.  We started getting complaints in early January 2023 from users that data was missing in Splunk.  We temp moved these inputs back to the internal HEC and the issue went away.  I setup a test DB Connect on 3.11.0 and setup the same inputs on it but sending to external HEC and then to a test index.  We did a search to compare the test data with production data and we saw that throughout the day, there were many times when the inputs ran that the data was not making it into Splunk.  The first clue there was an issue was seeing this in the logs every time the inputs ran:

[Scheduled-Job-Executor-3] ERROR c.s.d.s.d.r.HttpEventCollectorLoadBalancer - failed to post events:

I remembered that we upgraded DB Connect back in November so I decided to downgrade back to 3.10.0 on the test DB connect server.  The failed to post events error went away and all the data in test and prod matched up with no loss of data.I don't know what changed in DB Connect 3.11.0 and higher (3.11.1 has same issue) but this is a fairly big one for me.  I will stay with 3.10.0 for now but someone from Splunk needs to look into this issue.

Labels (2)
0 Karma
Reply

scannon4
Communicator
‎01-30-2023 12:37 PM

Thanks Rich.  I planned on doing that anyway.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 05:45 AM

Thanks for sharing, @scannon4 but this forum has no guarantee of reaching anyone at Splunk.  Submit the bug report to Support or at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...