All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query Data Not Going into Index with DBConnect

weicai88
Path Finder
‎01-15-2016 09:05 AM

Hi,

I use DBConnect 2 to pull McAfee endpoint security data from ePO into Splunk and that part works great. However, when I tried to pull additional audit data from the same database, the data won't show up in the index. The test of the SQL query in the DBConnect connection was successful and there's no error in the splunkd.log. Here's the stanza in the inputs.conf:

[mi_input://ta_mcafee_epo_5_input:audit]
disabled = 0
host = <SQL Host Name>
connection = <Connection Name>
index = mcafee
interval = * * * * *
max_rows = 10000
output_timestamp_format = YYYY-MM-dd HH:mm:ss

changed "SELECT TOP 10000" to just "SELECT" because it's not working with DBXv2

query = SELECT [AutoId],[UserId],[UserName],[Priority],[CmdName],[Message],[Success],[StartTime],[EndTime],[RemoteAddress],[TenantId] FROM [ePO_MTIB-EPO-APP].[dbo].[OrionAuditLogMT] WHERE [AutoID] >10000
sourcetype = mcafee:audit
source = dbx1
mode = tail
tail_follow_only = 1
tail_rising_column_name = AutoID
tail_rising_column_number = 2
ui_query_mode = advanced
input_timestamp_column_name = timestamp
input_timestamp_column_number = 1
tail_rising_column_checkpoint_value = 10000

What could be the problem?

Thanks!
Wei

0 Karma
Reply

thirulog
New Member
‎12-04-2017 09:01 PM

Wei,

did u find any solution for your issue

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 06:57 PM

Do you have your DB configured to use case-sensitive column names? If so, check for proper spelling of your "AuditID" column, as you used inconsistent spelling. I suspect that it's not the case since you said the query works fine by itself, but thought I'd point it out anyways.
Also, if you want to use a rising column, your SQL statement needs to include {{WHERE $rising_column$ > ?}}

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...