Splunk DB Connect -- How can I figure out who disa...

umsundar2015 · ‎10-09-2017

Hi ,

I am currently facing the issue like ,

My indexes created in Splunk DB Connect have been disabled by some means or someone accidentally.
I need to find out the person who disabled this, or how it got disabled. It will be working fine for many days, but suddenly it will be disabled one day and we can't figure it out.

Can someone help me in this to find the person or means it is disabled.

Regards,
Sundar

pradeepkumarg · ‎10-09-2017

Do you mean the actual DB inputs get disabled ? If the the connection to database fails for x amount of tries, the inputs gets disabled automatically. The number of tries can be configured per input. If this is the case, you can find the event in the dbx logs which says when the input was actually disabled.

umsundar2015 · ‎10-11-2017

I think this happend in my case.

Thank you,

harsmarvania57 · ‎10-09-2017

Hi @umsundar2015,

If someone disabled Indexes via SplunkWeb then you will able to find details using below query.

index=_internal host=<HOSTNAME ON WHICH DB CONNECT RUNNING> source=*splunkd_ui_access.log* POST disable

I hope this helps.

Thanks,
Harshil

Splunk DB Connect -- How can I figure out who disabled indexes in the app?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...