All Apps and Add-ons

DB-Connect version 3.1 indexing issue

krithiv
New Member

I am facing issues with indexing after the installation of Splunk dbconnect. Below are the details about the environment.

Splunk environment : Distributed with single search head and clustered indexers.
DB-Connect version : 3.1.1
Splunk version : 6.4.4
Server OS: Windows 2k12
Logs collected are from Microsoft SQL-Server database.

Current state:
DB-Connect is installed on search-head server and the queries are getting executed as expected in the SQL-Explorer.

Issue :
Neither the “dbx” logs nor the “inputs” are getting indexed. How do I forward these to the indexers so that I can search using search and reporting app.
Also I have not installed forwarder on search-head. Do I need to do it or does dbconnect app internally forward data to the indexers.
Could you please help me in fixing this issue.

0 Karma
1 Solution

tiagofbmm
Influencer

You don't need to install a Universal Forwarder for sending the DBConnect data to the indexer layer. (every Splunk instance has Forwarding embedded in it)

You should have already an outputs.conf file to send everything from the SH to the indexer layer (at least all your internal logs).

If you don't have that one yet, I would create a blank app named org_all_outputs, then in the local directory, put a outputs.conf and point the SH to send everything to the indexer layer (meaning all your indexers)

https://docs.splunk.com/Documentation/Forwarder/7.0.2/Forwarder/Configureforwardingwithoutputs.conf

View solution in original post

0 Karma

tiagofbmm
Influencer

You don't need to install a Universal Forwarder for sending the DBConnect data to the indexer layer. (every Splunk instance has Forwarding embedded in it)

You should have already an outputs.conf file to send everything from the SH to the indexer layer (at least all your internal logs).

If you don't have that one yet, I would create a blank app named org_all_outputs, then in the local directory, put a outputs.conf and point the SH to send everything to the indexer layer (meaning all your indexers)

https://docs.splunk.com/Documentation/Forwarder/7.0.2/Forwarder/Configureforwardingwithoutputs.conf

0 Karma

krithiv
New Member

Hi,Thank you for the response.I checked "outputs.conf" and see that it is configured properly.

0 Karma

tiagofbmm
Influencer

Just to be sure, can you do this search and check if your SH internal data is reaching the Indexer layer?

Last 24h:

| tstats count by host

Check if your SH is in the host column please

0 Karma

krithiv
New Member

The SH name is not there in the host column,which means SH data is not reaching Indexer layer.But,the outputs.conf is configured properly.

0 Karma

tiagofbmm
Influencer

Could you please show your outputs.conf configuration?

And can you make sure also that your Indexer has an inputs.conf that is opening a receiving port with a [splunktcp:<port>]?

0 Karma

krithiv
New Member

Output.conf : "Splunk\etc\system\local\outputs.conf" on SH

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://indexer1:9997]

[tcpout:default-autolb-group]
disabled = false
server = indexer1:9997,indexer2:9997
compressed = true

[tcpout-server://indexer2:9997]

0 Karma

krithiv
New Member

And also I do not see "inputs.conf" file in the SH "Splunk\etc\apps\splunk_app_db_connect\local"

0 Karma

tiagofbmm
Influencer

Please follow this link to create your database inputs. Those are the ones who will be sent to your Indexer layer.

http://docs.splunk.com/Documentation/DBX/3.1.2/DeployDBX/Createandmanagedatabaseinputs

0 Karma

tiagofbmm
Influencer

Are the indexer1 and indexer2 reachable from your SH?

Do you have the [splunktcp:9997] in your inputs.conf on both indexer1 and indexer2?

Can you check on your SH $SPLUNK_HOME/var/log/splunk/splunkd.log for something about "TcpOutputProc - Tcpout Processor ERROR" and give us what it refers?

0 Karma

krithiv
New Member

Yeah.There is an error Processor error

03-19-2018 01:57:50.449 -0700 ERROR TcpInputProc - Error encountered for connection from src. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

0 Karma

tiagofbmm
Influencer

Well then you have to solve that first just to have your internal logs (including dbx ) being sent and properly searched in the indexers layer.

0 Karma

krithiv
New Member

Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...