All Apps and Add-ons

Has anyone configured splunk add-on for MySQL?

mayurr98
Super Champion

Splunk add for mysql version : 1.1.0
Splunk db connect version: 3.1.2

I have single instance Splunk Enterprise.I have set up and configured splunk add-on for mysql but I am not receiving any logs.
Here is step by step action I have taken:
1. Installed splunk db connect app and created just a connection to MySql database.
2. Installed the Splunk Add-On for MySQL.
3. Set up the Splunk Add-on for MySQL.
4. Configured inputs for the Splunk Add-on for MySQL.

After this I checked sourcetype=mysql*OUTPUT: NO results found .

I referred troubleshooting manual

According to troubleshooting manual
This add-on has 3 logs that are located at $SPLUNK_HOME/var/log/splunk

splunk_ta_mysql_main.log
splunk_ta_mysql_setup.log
splunk_ta_mysql_util.log

I ran index=_internal source=*ta_mysql* error and I am getting errors related to util logs`

Errors are :

2018-02-15 18:16:53,979 ERROR pid=28194 tid=MainThread file=rest.py:splunkd_request:44 | Failed to send rest request=https://127.0.0.1:8089/servicesNS/-/-/configs/conf-mysql_db?count=0&offset=0, errcode=unknown, reason=Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_mysql/bin/ta_util2/rest.py", line 42, in splunkd_request
    headers=headers, body=data)
  File "/opt/splunk/etc/apps/Splunk_TA_mysql/bin/ta_util2/httplib2/__init__.py", line 1593, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/opt/splunk/etc/apps/Splunk_TA_mysql/bin/ta_util2/httplib2/__init__.py", line 1335, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/opt/splunk/etc/apps/Splunk_TA_mysql/bin/ta_util2/httplib2/__init__.py", line 1257, in _conn_request
    conn.connect()
  File "/opt/splunk/etc/apps/Splunk_TA_mysql/bin/ta_util2/httplib2/__init__.py", line 1060, in connect
    raise socket.error, msg
error: [Errno 111] Connection refused

Am I missing out something?

0 Karma

jcoates
Communicator

That error says that an input in the MySQL add-on is trying to use Splunk's REST endpoint and doesn't have permissions. Most likely this is happening when the add-on tries to enable its preconfigured inputs.

  1. make sure your DB Connect can talk to the MySQL database, maybe index a small table into a test index to be sure everything really works.
  2. check permissions all around. Make sure DB Connect and the add-on have global scope, make sure you're in the DBX admin role.
  3. The docs advice for checking that you've got data is potentially misleading; a sourcetype search won't help if the input is writing into an index that your user doesn't search by default. For instance: your input successfully writes data into index=foo, but your role is only searching index=bar by default. Pasting the search from the docs will get no results, but index=foo sourcetype=mysql:* will work.

mayurr98
Super Champion

Thanks for a quick reply.I have given all permissions and also able to index data through DB connect app.I did follow all the above steps but still did not get any results.have you ever configured this add-on? My Splunk environment is simple.
I have a single instance Splunk enterprise and one SQL server.What I have done is successfully established a connection and set up the MySQL add-on after that configured the add-on as mentioned in this doc
which enabled data inputs.

[mysql]
disabled = true
interval = 60

[mysql://bin_log]
log_type = bin_log
duration = 10

[mysql://log_from_util]
log_type = util_log
duration = 10

This got created in mysql add-on on my splunk server. here I am assuming that these inputs are talking to mysql server via established connection by db connect app.Also I am assuming that I have established a connection and that is why I do not need to install heavy forwarder on sql server and do these steps.

Do I need to install heavy forwarder on SQL server and configure the add-on, DB connect app and the forwarder?

Also for slow logs, error logs do I need to use heavy forwarder? As in the docs it is mentioned file monitoring.

0 Karma

jcoates
Communicator

the add-on has two types of inputs -- preconfigured DB Connect based inputs which you have to activate through the add-on's setup, and file monitors which you have just shown. DB Connect does not have to run locally to the database.

0 Karma

mayurr98
Super Champion

so for file monitoring do I have to configure universal forwarder on SQL server with the add-on?
If NO then how does it fetch the information of slow logs, error logs from the Mysql server? as there is no connection of splunk instance and db except the db connect connection which is solely for db connect input.

0 Karma

jcoates
Communicator

either that or arrange for the files to be somewhere that splunk can read them

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...