Splunk DB Connect: Help with DBConnector search er...

mbxray · ‎06-17-2019

This is for McAfee EPO Data Loss Prevention events.

I have one connector to our McAfee EPO for the EPOEvents table using Input type Rising, no errors. Using AutoID as a rising column.

SELECT * FROM (
SELECT 
(myquery)
where AutoID > ?
ORDER BY AutoID asc

When I create another connection to another table for DLP events and use the search, I get the error:
"java.sql.SQLException: Parameter #1 has not been set." using IncidentId as a rising column.

SELECT * FROM (
SELECT 
(myquery)
where IncidentId > ?
ORDER BY IncidentId asc

It gives me the error message when I use the following line, where IncidentId > ?.
Is it better not to use a sub-search?
Any help appreciated.

sanderdenheijer · ‎06-19-2019

Have you tried the following?
Leave out line 4 and specify the rising column under: Operations - DB Inputs - [your input] - Set Parameters

mbxray · ‎06-19-2019

I cannot find Operations - DB Inputs - [your input] - Set Parameters.
I go to Data Lab , select my connection, and enter my query in the sql editor.
I've tried adding IncidentId as my RisingColumn, but to no avail.
it runs without "where IncidentId > ?". When I do add this line, I get "java.sql.SQLException: Parameter #1 has not been set."

Splunk DB Connect: Help with DBConnector search error

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation