All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk DB Connect: Persistent db_inputs post deletion

sochsenbein
Communicator
‎10-25-2018 08:11 AM

Our current setup looks like this:

Deployment Server
Deployer
Indexer 1
Indexer 2
Search Head 1
Search Head 2
Search Head 3

A couple of months ago, I added a db_input for our Management app. The input took raw SQL. Within that SQL it returned a warning level and alarm level hard coded. Warning = 4000, Alarm = 3500.

However, this week, I took the SQL and stored it as a Stored Procedure on our MSSQL database. I edited the exact same db input, replacing the SQL with "EXEC splunk.dbo.moves". In that stored procedure, I changed Warning to 3000 and Alarm to 2500. I have the input to run every 5 minutes. Now, it returns both the old data and the new data. Meaning I am seeing Warning = 4000 sometimes and 3000 other times. Same goes for Alarm.

I restarted Splunk on all 7 systems that we have. I checked db_inputs conf on both Deployment Server and under shcluster apps folder, and the Deployer. I am not seeing anywhere that has the old code in it. Is there anywhere else to check? Or any other ideas? I just created a brand new db_inputs called something else with just the stored procedure so we can get our data. However, the old stuff is still getting indexed, and they're a waste of space.

Thanks, hope this makes sense.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sochsenbein
Communicator
‎06-12-2019 03:19 PM

This was caused by db_inputs being on both the deployer and search heads.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sochsenbein
Communicator
‎06-12-2019 03:19 PM

This was caused by db_inputs being on both the deployer and search heads.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...