All Apps and Add-ons

DBConnect 3 : not getting data writen into splunk events

arlakathena
Explorer

Hey Guys,
I'm new to Dbconnect but i have this urgent problem.

from the application, i created an input (mode=rising) based on a rising column timestamp created in oracle DB.
query:
**SELECT DISTINCT * FROM "DB"."TABLE"
WHERE TIME > ?
ORDER BY TIME ASC
*

The execution of the query in rising mode is successful !! but then NO DATA created in splunk!
i tracked down the error:

2019-04-23 11:43:01.645 +0100 INFO c.s.dbx.server.task.listeners.JobMetricsListener - action=collect_job_metrics connection=DB jdbc_url=null db_read_time=4 hec_record_process_time=350 format_hec_success_count=1000 status=FAILED input_name=test2 batch_size=1000 error_threshold=N/A is_jmx_monitoring=false start_time=2019-04-23_11:43:00 end_time=2019-04-23_11:43:01 duration=1643 read_count=1000 write_count=0 filtered_count=0 error_count=0

0 Karma
1 Solution

arlakathena
Explorer

I found the solution !

after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :

HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*

Save, java server restarts.

I've got help from this question

View solution in original post

arlakathena
Explorer

I found the solution !

after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :

HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*

Save, java server restarts.

I've got help from this question

MattibergB
Path Finder

Hi,

Is HEC running on the heavy forwarder and did you make a token for dbconnect?
You could try Debug HTTP Event Collector port issues in the troubleshooting page:
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Troubleshooting

0 Karma

arlakathena
Explorer

The token is created by the app as db-connect-http-input
the port unchanged by default 8080, ssl is enabled
it's not a distributed environment, it's a full (all-in) instance.

i checked index=_internal 8088 for errors but in vain.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...