All Apps and Add-ons

Splunk 6.4.0 Integration with McAfee ePO 5.3.1: Why am I getting "Invalid Query" in Splunk DB Connect 2?

lakshman238
Engager

We have Splunk Enterprise running in Windows 2012 server and I have configured Splunk DB Connect 2.x (latest) to connect to the MS SQL server 11.x database and the connections are valid.

I am following steps (config inputs) as per below and the query in the inputs.conf throws errors when I validate it in the DB Connect GUI, as part of step 2. (preview data). The error is:

Invalid Query 

External search command 'dbxquery' returned error code 1. First 1000 (of 3842) bytes of script output: "RuntimeError: Failed to run query: "SELECT * FROM (SELECT [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[AutoID], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type], [EPOEvents].[ThreatEventID] as [signature_id], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severity_id], [EPOEventFilterDesc].[Name] as [event_description], [EPOEvents].[DetectedUTC] as [detected_timestamp], [EPOEvents].[TargetFileName] as [file_name], [EPOEvents].[AnalyzerDetectionMethod] as [detection_method], [EPOEvents].[ThreatActionTaken] as [vendor_action], CAST([EPOEvents].[ThreatHandled] as int) as [threat_handled], [EPOEvents].[TargetUserName] as [logon_user], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [dest_nt_domain], [EPOEvents].[TargetHostName] as [dest_dns], [EPOEvents].[TargetHostName] as [dest_nt_host], [EPOComputerProperties].[IPHostName] as [fqdn], [dest_ip] = ( convert(varchar(3),convert(ti

http://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureDBConnectv2inputs

Appreciate any help/pointers.

season88481
Contributor

I think I have the exact same problem.

I tested the tables, actually all tables are from a schema called 'dbo'. When I searching for the mentioned tables individually, I can see input normally.

EPOEvents Input OK
Query: SELECT * FROM "mydatabasename"."dbo"."EPOComputerProperties"
EPOLeafNode Input OK
EPOProdPropsView_VIRUSCAN Input OK
EPOComputerProperties Input OK
EPOEventFilterDesc Input OK

I guess it must be something we could edit to make the db query working.

0 Karma

xrtan
Explorer

Have u tried testing the query yet?

DBConnect 2 > Connections

Click on the Connection u created, there should be a Query tab. Paste your query and see does it runs.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...