All Apps and Add-ons

DBX Tail not indexing Microsoft SQL (new version 1.0.8)

ngcgoon
Explorer

Database Connector to my MSSQL (McAfee) is working and connecting fine however when I setup an input via tail instead of dump, I do not get any data into the specified index. I get a ERROR;TailDatabaseMonitor Could not allocate space for object dbo.SORT temporary run storage: 140844726157312 in database 'tempDB' because PRIMARY file group is full.
Then it tells me to clean out fileGroup data etc etc etc.

Since I am not the DBAdmin is this a DB issue that they will have to perform? Because this is not allowing me to get data into the index. I am using the ReceivedUTC as the incremental field. I have over 25 fields to pull out of the table, and I am polling for data every 15 minutes. I can see the tables and the databases and even make some queries manually however not thru the dbx inputs.

Anyone got any suggestions?

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Yes. It appears that you have chosen an unindexed field as your increment field, and the db server needs to sort the table to determine new rows, and you don't have enough temp space to sort a table that size. Your options would be to find an indexed field on that table, get fewer columns, use a more restrictive query, or increase the temp size. Without knowing much more, it's hard to say what your best choice would be.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Yes. It appears that you have chosen an unindexed field as your increment field, and the db server needs to sort the table to determine new rows, and you don't have enough temp space to sort a table that size. Your options would be to find an indexed field on that table, get fewer columns, use a more restrictive query, or increase the temp size. Without knowing much more, it's hard to say what your best choice would be.

ngcgoon
Explorer

UPDATE: Now the query does not use the tail effectively. I have RecievedUTC as the incrementing field (epoch) and I get the same records or no records at all. There are no log entries that show any errors either. So how can I query the database to send me events created from the previous hour?

0 Karma

ngcgoon
Explorer

OK I shortened the queries to 128 or less and split them into about 5 separate ones. So for now it is working!

Thanks again for the response.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

sqlserver. the message and complaint is entirely from mssqlserver.

0 Karma

ngcgoon
Explorer

Cool let me try that. I guess I have to get a dbadmin to adjust the temp space on the DB server...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...