Re: Splunk DB Connect : Error 400 : Bad Request Un...

bricevaixagon · ‎06-22-2018

Hello,

I have a problem with the application db_connect. The explorer SQL is OK, and gives me results, but when I set up my inputs, the index does not fill and I obtain errors like this :

2018-06-22 16:18:51.212 +0200 [QuartzScheduler_Worker-10] DEBUG
c.s.d.s.d.t.p.ExtractIndexingTimeProcessor
- action=setting_event_time_to_current_time
input=Test_1 time=1529677131212
2018-06-22 16:18:51.212 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=start_format_hec_events_from_payload
record=Record: {header=[number=1,
source="Test_1", creationDa

te="2018-06-22 16:18:51.212"],
payload=[EventPayload{fieldNames=[DomainID,
ForestID, DomainName, DomainMode,
LastDiscoveryTime, Flags],
row=[16777217, 16777217, CLIENT.lan,
Windows2008R2Domain, 2018-06-16
23:00:46.92, ]}]} 2018-06-22
16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=finish_format_hec_events record=Record: {header=[number=1,
source="Test_1",
creationDate="2018-06-

22 16:18:51.212"],
payload=[{"time":"1529677131,212","event":"2018-06-22
16:18:51.212, DomainID=\"16777217\",
ForestID=\"16777217\",
DomainName=\"CLIENT.lan\",
DomainMode=\"Windows2008R2Domain\",
LastDiscoveryTime=\"2018-06

-16 23:00:46.92\"","host":"SVSSCM","source":"Test_1","sourcetype":"SSCM_TEST","index":"sccm"}]}
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.d.t.p.ExtractIndexingTimeProcessor
- action=setting_event_time_to_current_time
input=Test_1 time=1529677131213
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=start_format_hec_events_from_payload
record=Record: {header=[number=2,
source="Test_1", creationDa

te="2018-06-22 16:18:51.213"],
payload=[EventPayload{fieldNames=[DomainID,
ForestID, DomainName, DomainMode,
LastDiscoveryTime, Flags],
row=[16777218, 16777218, CLIENT1.lan,
Windows2012R2Domain, 2018-06-16
23:00:04.59, ]}]} 2018-06-22
16:18:51.213 +0200
[QuartzScheduler_Worker-10] DEBUG
c.s.d.s.dbinput.task.processors.EventMarshaller
- action=finish_format_hec_events record=Record: {header=[number=2,
source="Test_1",
creationDate="2018-06-

22 16:18:51.213"],
payload=[{"time":"1529677131,213","event":"2018-06-22
16:18:51.213, DomainID=\"16777218\",
ForestID=\"16777218\",
DomainName=\"CLIENT1.lan\",
DomainMode=\"Windows2012R2Domain\",
LastDiscoveryTime=\"2018-06

-16 23:00:04.59\"","host":"SVSSCM","source":"Test_1","sourcetype":"SSCM_TEST","index":"sccm"}]}
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] INFO
c.s.dbx.server.dbinput.recordwriter.HecEventWriter
- action=write_records batch_size=2 2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] INFO
c.s.d.s.dbinput.recordwriter.HttpEventCollector
- action=writing_events_via_http_event_collector
2018-06-22 16:18:51.213 +0200
[QuartzScheduler_Worker-10] INFO
c.s.d.s.dbinput.recordwriter.HttpEventCollector
- action=writing_events_via_http_event_collector
record_count=2 2018-06-22 16:18:51.222
+0200 [QuartzScheduler_Worker-10] ERROR
c.s.d.s.task.listeners.RecordWriterMetricsListener
- action=unable_to_write_batch java.io.IOException: HTTP Error 400:
Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2018-06-22 16:18:51.222 +0200
[QuartzScheduler_Worker-10] ERROR
org.easybatch.core.job.BatchJob -
Unable to write records
java.io.IOException: HTTP Error 400:
Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

I tried with JTDS drivers, MSSQL driver, and two jre.

Splunk version 7.0.1
db_connect 3.1.3

can you help me ?

Thanks.

bricevaixagon · ‎06-27-2018

it work with previous version (3.1.2)

sdesruelles · ‎07-27-2018

Hi,

We asked the support, the only solution was a downgrade for us.

jcoates · ‎06-22-2018

the pipeline is database > dbx java server > HEC > indexers.

HEC is throwing that error because it can't parse the data. Usually this comes from date strings that aren't dates or non-ASCII stuff. I don't see anything immediately wrong in that data sample but I haven't looked closely.

Splunk DB Connect : Error 400 : Bad Request Unable to write

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation