How can I make DBX tail input populate?

andrey2007 · ‎07-01-2013

My tail input is not populating, i use ID field as increasing value. Once i created input, splunk indexed 12080826 events (12080826 it is a number of events in index created for this input). But later splunk tries to apply latest tail.rising.column value=12081329( i looked at dbx log), how can i change this value to 12080827 to make splunk continue indexing with next event?

andrey2007 · ‎12-09-2013

The reason was in McAfee antivirus settings we turned it off and allstarted to work!

splunkears · ‎07-17-2013

I was running into similar issue.

It looks like there is a file called state.xml under ../var/lib/splunk / persistence storage / state.xml
Look for the rising column value (your case its 12081329) in this file (state.xml).
Change it to whatever you want. In the next index cycle, your would notice that, in the file dbx.log, new data being flown into Splunk indexer.

The same logic for re-indexing a table data:
Say for example, you have already indexed a table with IDs ranging from 100-500 (ID being the rising column )
And then, want to re-index the table, we could change the ID value in state.xml back to say 1.
Then entire table gets reindexed.

This worked for me.

andrey2007 · ‎07-18-2013

I saw this file but i have no permissions to edit it. I need that dbx works continuously that why it is not solution for me.Is it a DBX app bug?

How can I make DBX tail input populate?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout