Hi,
In DB connect app for one of the connections we are able to see the sql output in the app but it has stopped indexing. We can see the connection name in dbx_audit log but no errors.
11/15/18
12:56:13.938 PM
2018-11-15 12:56:13.938 25125@psplunksh03 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=dbxquery connection_name=OBJPROD stanza_name= state=success sql='select ACTIVE_USERS, LICENSE_COUNT from (select count() as Active_Users from users where DATE_INACTIVATE is null and DATE_DISABLE is null) cross join LICENSED_USERS'
host = source = /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2018-11-15.log sourcetype = dbx_audit
11/15/18
12:49:11.195 PM
2018-11-15 12:49:11.195 54724@psplunksh03 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=dbxquery connection_name=OBJPROD stanza_name= state=success sql='select ACTIVE_USERS, LICENSE_COUNT from (select count() as Active_Users from users where DATE_INACTIVATE is null and DATE_DISABLE is null) cross join LICENSED_USERS'
host = source = /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2018-11-15.log sourcetype = dbx_audit
11/15/18
12:41:00.687 PM
2018-11-15 12:41:00.687 17855@psplunksh03 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=dbxquery connection_name=OBJPROD stanza_name= state=success sql='select ACTIVE_USERS, LICENSE_COUNT from (select count() as Active_Users from users where DATE_INACTIVATE is null and DATE_DISABLE is null) cross join LICENSED_USERS'
host = source = /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2018-11-15.log sourcetype = dbx_audit
11/15/18
12:34:05.424 PM
2018-11-15 12:34:05.424 47505@psplunksh03 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=dbxquery connection_name=OBJPROD stanza_name= state=success sql='select ACTIVE_USERS, LICENSE_COUNT from (select count() as Active_Users from users where DATE_INACTIVATE is null and DATE_DISABLE is null) cross join LICENSED_USERS'
host = source = /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2018-11-15.log sourcetype = dbx_audit
11/15/18
12:20:21.338 PM
2018-11-15 12:20:21.338 46563@psplunksh03 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=dbxquery connection_name=OBJPROD stanza_name= state=success sql='select ACTIVE_USERS, LICENSE_COUNT from (select count() as Active_Users from users where DATE_INACTIVATE is null and DATE_DISABLE is null) cross join LICENSED_USERS'
host = source = /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2018-11-15.log sourcetype = dbx_audit
11/15/18
12:15:07.969 PM
2018-11-15 12:15:07.969 22282@psplunksh03 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation=dbxquery connection_name=OBJPROD stanza_name= state=success sql='select ACTIVE_USERS, LICENSE_COUNT from (select count() as Active_Users from users where DATE_INACTIVATE is null and DATE_DISABLE is null) cross join LICENSED_USERS'
host = source = /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2018-11-15.log sourcetype = dbx_audit
Hi ketannagpal,
a good starting point is the DB connect input health http://docs.splunk.com/Documentation/DBX/health/DeployDBX/Monitordatabaseconnectionhealth it might be your input was disabled by DB connect because of too many errors on it.
If the input is still enabled, check the troubleshooting section of the docs http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Troubleshooting which provides a lot of useful tips.
Hope this helps ...
cheers, MuS
Thanks MuS, I have verified everything in DB connect. This is an issue with one particular connection,In DB connect app everything looks good, but data is not present in indexer. I can also see the sourcetype present in license.log file.
Did you search over all time
just in case the time stamps are not correct/recognised ?