All Apps and Add-ons

Splunk DB Connect 2: Oracle does not input data in index

italogf
Explorer

I am trying to make an select and input this data into splunk.

In preview, i can see all data that i need but when job run to input data, nothing happens the data doesn't appear in the index

antonyhan
Path Finder

I have same problem....

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

the presence of a rising column value makes me wonder if it's decided that you've already gotten all of the data.

  1. is that a good rising column (where each row has a unique value for that column)?
  2. are there greater than 5 rows?
0 Karma

italogf
Explorer

Yes i'm using db connect v2.

my data are something around 2008 until now

i dont understand very right this field timestamp input_timestamp_format i cant input the format like YYYY-MM-dd HH:mm:ss I need to put real date to this field be valid like this 2015/05/19 20:57:02

i try put like this input_timestamp_format = YYY/MM/dd HH:mm:ss but splunk db connect don't accept.

0 Karma

italogf
Explorer

input.conf

[mi_input://Coleta]
connection = SM9
description = Coleta
index = oracle_servicecenter
input_timestamp_column_name = OPEN_TIME
input_timestamp_column_number = 1
input_timestamp_format = 2015/05/19 20/:57:02
interval = 24 * * * *
max_rows = 1000000
mode = tail
output_timestamp_format = YYYY-MM-dd HH:mm:ss
query = select * from log_report_adm.v_sm_open_documents
source = /opt/splunk/var/log/splunk/rpc.log
sourcetype = coleta_oracle_incidentes
ui_query_catalog = NULL
ui_query_mode = advanced
tail_rising_column_name = IDENTIFICADOR
tail_rising_column_number = 5
ui_query_schema = SPLUNK_SMUBR
tail_follow_only = 1

0 Karma

dolivasoh
Contributor

I thought I had the answer thinking you were using dbconnect1 but now I can see you are definitely using dbconnect2.

One of the main thing to check is to be sure your data isn't older than 2000 days as there is a default limit in the app out of the box.

Note: Be aware that DB Connect abides by the MAX_DAYS_AGO setting in the Splunk Enterprise props.conf file. When set, MAX_DAYS_AGO defines the number of days in the past, from the current date, that a date is considered valid. This means that any imported records with timestamps before today's date minus MAX_DAYS_AGO will not be indexed. The default setting for MAX_DAYS_AGO is 2000 days, so if you use DB Connect to consume database data that is older than that, you should increase that value in props.conf.

Secondly and the most likely is your input timestamp format. See below

input_timestamp_format = <value>
* optional
* specify the format of input timestamp column, in JavaSimpleDateString format.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...