All Apps and Add-ons

DBConnect 3 : not getting data writen into splunk events

Explorer

Hey Guys,
I'm new to Dbconnect but i have this urgent problem.

from the application, i created an input (mode=rising) based on a rising column timestamp created in oracle DB.
query:
**SELECT DISTINCT * FROM "DB"."TABLE"
WHERE TIME > ?
ORDER BY TIME ASC
*

The execution of the query in rising mode is successful !! but then NO DATA created in splunk!
i tracked down the error:

2019-04-23 11:43:01.645 +0100 INFO c.s.dbx.server.task.listeners.JobMetricsListener - action=collect_job_metrics connection=DB jdbc_url=null db_read_time=4 hec_record_process_time=350 format_hec_success_count=1000 status=FAILED input_name=test2 batch_size=1000 error_threshold=N/A is_jmx_monitoring=false start_time=2019-04-23_11:43:00 end_time=2019-04-23_11:43:01 duration=1643 read_count=1000 write_count=0 filtered_count=0 error_count=0

0 Karma
1 Solution

Explorer

I found the solution !

after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :

HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*

Save, java server restarts.

I've got help from this question

View solution in original post

Explorer

I found the solution !

after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :

HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}

==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*

Save, java server restarts.

I've got help from this question

View solution in original post

Path Finder

Hi,

Is HEC running on the heavy forwarder and did you make a token for dbconnect?
You could try Debug HTTP Event Collector port issues in the troubleshooting page:
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Troubleshooting

0 Karma

Explorer

The token is created by the app as db-connect-http-input
the port unchanged by default 8080, ssl is enabled
it's not a distributed environment, it's a full (all-in) instance.

i checked index=_internal 8088 for errors but in vain.

0 Karma