All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

DBConnect: Indexes missing in New Input dropdown

cjj1977
Path Finder
‎09-21-2016 02:06 AM

I am using DBConnect 2.3.0, recently installed on a single Search Head in front of a number of clustered Indexers. We have a large number of distinct indexes used by different teams. I created a new one yesterday to hold SQL data from a new business application.

When I try to create a new DBConnect input via DBConnect app > Operations > New Input, the drop-down list of indexes in stage 4 ("Metadata" configuration) I only see few indexes. I suspect these are indexes configured locally on the search head. This is the first time I have tried this.

How do I get DBConnect to recognise/use the new index that I created? If not via the GUI, is this possible via .conf files?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisduimstra
Path Finder
‎09-21-2016 10:53 AM

I had this same problem when running DBConnect from the search head. I'm running a single search head and indexer and all of the indexes are created in indexes.conf on the indexer. I was able to get it working by installing the app on the indexer and setting up the input from there.

This may also be useful for you.
https://answers.splunk.com/answers/91906/best-practice-to-install-configure-db-connect-in-a-distribu...

View solution in original post

Reply
Solved! Jump to solution

cjj1977
Path Finder
‎10-04-2016 09:01 AM

Workaround

This "bug" is only manifest in environments where the input is running on a Search Head in a distributed environment. This is not universally considered as best practice (https://answers.splunk.com/answers/91906). If you do implement such a design then you might want to follow the steps below.

I worked around this issue successfully by:

  1. Creating the input against the test index in a disabled state
  2. Editing inputs.conf to change the name of the index
  3. Enabling the input again (set disabled=0 in inputs.conf)
  4. Reloading the configuration with the \debug\refresh URL

Note: When using the app GUI, it does not show the correct index, but as long as that drop-down box isn't changed, it appears to leave the setting as-is when saving updates.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisduimstra
Path Finder
‎09-21-2016 10:53 AM

I had this same problem when running DBConnect from the search head. I'm running a single search head and indexer and all of the indexes are created in indexes.conf on the indexer. I was able to get it working by installing the app on the indexer and setting up the input from there.

This may also be useful for you.
https://answers.splunk.com/answers/91906/best-practice-to-install-configure-db-connect-in-a-distribu...

Reply
Solved! Jump to solution

cjj1977
Path Finder
‎10-04-2016 08:57 AM

I can see that installing on a single server/Indexer will work. The link suggests installing the app on a Heavy Forwarder. I'm not at liberty to test that in the environment I am working with. Can you/anyone confirm that installing the app on the HF will make the indexes visible in the UI?

0 Karma
Reply
Solved! Jump to solution

cjj1977
Path Finder
‎01-16-2017 06:00 AM

Coming back to this problem having learned more about Splunk, etc. the strict answer (pointed to by Chris) is that the app is only aware of indexes defined locally in indexes.conf.

Indeed, if you follow the advice in the link regarding best practice for distributed environments, the whole question becomes irrelevant as you'll be installing on servers (Indexers or Heavy Forwarders) where you won't use GUI configuration anyway.

This "bug" is only manifest in situations where you are configuring an input on a Search Head in a distributed environment; i.e. not following best-practice.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...