Splunk DB Connect : Error 400 : Bad Request Unable...

bricevaixagon · ‎06-22-2018

Hello,

I have a problem with the application db_connect. The explorer SQL is OK, and gives me results, but when I set up my inputs, the index does not fill and I obtain errors like this :

2018-06-22 16:18:51.212 +0200 [QuartzScheduler_Worker-10] DEBUG
c.s.d.s.d.t.p.ExtractIndexingTimeProcessor
- action=setting_event_time_to_current_time
input=Test_1 time=1529677131212
2018-06-22 16:18:51.212 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=start_format_hec_events_from_payload
record=Record: {header=[number=1,
source="Test_1", creationDa

te="2018-06-22 16:18:51.212"],
payload=[EventPayload{fieldNames=[DomainID,
ForestID, DomainName, DomainMode,
LastDiscoveryTime, Flags],
row=[16777217, 16777217, CLIENT.lan,
Windows2008R2Domain, 2018-06-16
23:00:46.92, ]}]} 2018-06-22
16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=finish_format_hec_events record=Record: {header=[number=1,
source="Test_1",
creationDate="2018-06-

22 16:18:51.212"],
payload=[{"time":"1529677131,212","event":"2018-06-22
16:18:51.212, DomainID=\"16777217\",
ForestID=\"16777217\",
DomainName=\"CLIENT.lan\",
DomainMode=\"Windows2008R2Domain\",
LastDiscoveryTime=\"2018-06

-16 23:00:46.92\"","host":"SVSSCM","source":"Test_1","sourcetype":"SSCM_TEST","index":"sccm"}]}
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.d.t.p.ExtractIndexingTimeProcessor
- action=setting_event_time_to_current_time
input=Test_1 time=1529677131213
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=start_format_hec_events_from_payload
record=Record: {header=[number=2,
source="Test_1", creationDa

te="2018-06-22 16:18:51.213"],
payload=[EventPayload{fieldNames=[DomainID,
ForestID, DomainName, DomainMode,
LastDiscoveryTime, Flags],
row=[16777218, 16777218, CLIENT1.lan,
Windows2012R2Domain, 2018-06-16
23:00:04.59, ]}]} 2018-06-22
16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=finish_format_hec_events record=Record: {header=[number=2,
source="Test_1",
creationDate="2018-06-

22 16:18:51.213"],
payload=[{"time":"1529677131,213","event":"2018-06-22
16:18:51.213, DomainID=\"16777218\",
ForestID=\"16777218\",
DomainName=\"CLIENT1.lan\",
DomainMode=\"Windows2012R2Domain\",
LastDiscoveryTime=\"2018-06

-16 23:00:04.59\"","host":"SVSSCM","source":"Test_1","sourcetype":"SSCM_TEST","index":"sccm"}]}
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] INFO
c.s.dbx.server.dbinput.recordwriter.HecEventWriter
- action=write_records batch_size=2 2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] INFO
c.s.d.s.dbinput.recordwriter.HttpEventCollector
- action=writing_events_via_http_event_collector
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] INFO
c.s.d.s.dbinput.recordwriter.HttpEventCollector
- action=writing_events_via_http_event_collector
record_count=2 2018-06-22 16:18:51.222
+0200 [QuartzScheduler_Worker-10] ERROR
c.s.d.s.task.listeners.RecordWriterMetricsListener
- action=unable_to_write_batch java.io.IOException: HTTP Error 400:
Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2018-06-22 16:18:51.222 +0200
[QuartzScheduler_Worker-10] ERROR
org.easybatch.core.job.BatchJob -
Unable to write records
java.io.IOException: HTTP Error 400:
Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

I tried with JTDS drivers, MSSQL driver, and two jre.

Splunk version 7.0.1
db_connect 3.1.3

can you help me ?

Thanks.

bricevaixagon · ‎06-27-2018

it work with previous version (3.1.2)

sdesruelles · ‎07-27-2018

Hi,

We asked the support, the only solution was a downgrade for us.

jcoates · ‎06-22-2018

the pipeline is database > dbx java server > HEC > indexers.

HEC is throwing that error because it can't parse the data. Usually this comes from date strings that aren't dates or non-ASCII stuff. I don't see anything immediately wrong in that data sample but I haven't looked closely.

Splunk DB Connect : Error 400 : Bad Request Unable to write

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Splunk DB Connect : Error 400 : Bad Request Unable to write

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)