All Apps and Add-ons

How do I troubleshoot why an Index isn't getting all the data from a query for some records using DB Connect?

JustinV
Engager

I am using Splunk DB Connect and most rows are being populated correctly. I do have some rows that are not getting data for all the columns. When I look at the source DB using either SQL Management Studio or the DB Connect app, I do see that all the columns are populated, but when I look at the indexed data on Splunk, I see that after a description column, that the rest of the columns are not getting put into the index. This is only for some records. One thing I noticed on one of the broken records is that after the 50th character in the description column, the rest of the text in the description column isn't showing up in the index. There are also some carriage returns after the 50th character but there are a few characters before the carriage returns that aren't showing up. When I look at the Database info, the description column shows is a varchar(255) column.

What can I do to troubleshoot why it stops indexing the row while it's loading the description column?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Are you using the single-line key-value format from DB Connect?

If so, switch to multi-line key-value format - I'm guessing your description has line breaks in it, causing the single-line key-value format to start a new event... your tailing partial events will be somewhere, but possibly under different timestamps.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you using the single-line key-value format from DB Connect?

If so, switch to multi-line key-value format - I'm guessing your description has line breaks in it, causing the single-line key-value format to start a new event... your tailing partial events will be somewhere, but possibly under different timestamps.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The input setting will only affect new data, old data will be unchanged.

Some field extractions may need to be adjusted though.

0 Karma

JustinV
Engager

We are using single-line key-value. If I change this to multi-line, what will happen to all the old data? We currently have 1 year of history data and I can't lose it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...