All Apps and Add-ons

DBConnect 3 : not getting data writen into splunk events

arlakathena
Explorer

Hey Guys,
I'm new to Dbconnect but i have this urgent problem.

from the application, i created an input (mode=rising) based on a rising column timestamp created in oracle DB.
query:
**SELECT DISTINCT * FROM "DB"."TABLE"
WHERE TIME > ?
ORDER BY TIME ASC
*

The execution of the query in rising mode is successful !! but then NO DATA created in splunk!
i tracked down the error:

2019-04-23 11:43:01.645 +0100 INFO c.s.dbx.server.task.listeners.JobMetricsListener - action=collect_job_metrics connection=DB jdbc_url=null db_read_time=4 hec_record_process_time=350 format_hec_success_count=1000 status=FAILED input_name=test2 batch_size=1000 error_threshold=N/A is_jmx_monitoring=false start_time=2019-04-23_11:43:00 end_time=2019-04-23_11:43:01 duration=1643 read_count=1000 write_count=0 filtered_count=0 error_count=0

0 Karma
1 Solution

arlakathena
Explorer

I found the solution !

after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :

HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*

Save, java server restarts.

I've got help from this question

View solution in original post

arlakathena
Explorer

I found the solution !

after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :

HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*

Save, java server restarts.

I've got help from this question

MattibergB
Path Finder

Hi,

Is HEC running on the heavy forwarder and did you make a token for dbconnect?
You could try Debug HTTP Event Collector port issues in the troubleshooting page:
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Troubleshooting

0 Karma

arlakathena
Explorer

The token is created by the app as db-connect-http-input
the port unchanged by default 8080, ssl is enabled
it's not a distributed environment, it's a full (all-in) instance.

i checked index=_internal 8088 for errors but in vain.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...