All Apps and Add-ons

DBX Tail not indexing Microsoft SQL (new version 1.0.8)

ngcgoon
Explorer

Database Connector to my MSSQL (McAfee) is working and connecting fine however when I setup an input via tail instead of dump, I do not get any data into the specified index. I get a ERROR;TailDatabaseMonitor Could not allocate space for object dbo.SORT temporary run storage: 140844726157312 in database 'tempDB' because PRIMARY file group is full.
Then it tells me to clean out fileGroup data etc etc etc.

Since I am not the DBAdmin is this a DB issue that they will have to perform? Because this is not allowing me to get data into the index. I am using the ReceivedUTC as the incremental field. I have over 25 fields to pull out of the table, and I am polling for data every 15 minutes. I can see the tables and the databases and even make some queries manually however not thru the dbx inputs.

Anyone got any suggestions?

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Yes. It appears that you have chosen an unindexed field as your increment field, and the db server needs to sort the table to determine new rows, and you don't have enough temp space to sort a table that size. Your options would be to find an indexed field on that table, get fewer columns, use a more restrictive query, or increase the temp size. Without knowing much more, it's hard to say what your best choice would be.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Yes. It appears that you have chosen an unindexed field as your increment field, and the db server needs to sort the table to determine new rows, and you don't have enough temp space to sort a table that size. Your options would be to find an indexed field on that table, get fewer columns, use a more restrictive query, or increase the temp size. Without knowing much more, it's hard to say what your best choice would be.

View solution in original post

ngcgoon
Explorer

UPDATE: Now the query does not use the tail effectively. I have RecievedUTC as the incrementing field (epoch) and I get the same records or no records at all. There are no log entries that show any errors either. So how can I query the database to send me events created from the previous hour?

0 Karma

ngcgoon
Explorer

OK I shortened the queries to 128 or less and split them into about 5 separate ones. So for now it is working!

Thanks again for the response.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

sqlserver. the message and complaint is entirely from mssqlserver.

0 Karma

ngcgoon
Explorer

Cool let me try that. I guess I have to get a dbadmin to adjust the temp space on the DB server...

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!