All Apps and Add-ons

Splunk DB Connect: Persistent db_inputs post deletion

Communicator

Our current setup looks like this:

Deployment Server
Deployer
Indexer 1
Indexer 2
Search Head 1
Search Head 2
Search Head 3

A couple of months ago, I added a db_input for our Management app. The input took raw SQL. Within that SQL it returned a warning level and alarm level hard coded. Warning = 4000, Alarm = 3500.

However, this week, I took the SQL and stored it as a Stored Procedure on our MSSQL database. I edited the exact same db input, replacing the SQL with "EXEC splunk.dbo.moves". In that stored procedure, I changed Warning to 3000 and Alarm to 2500. I have the input to run every 5 minutes. Now, it returns both the old data and the new data. Meaning I am seeing Warning = 4000 sometimes and 3000 other times. Same goes for Alarm.

I restarted Splunk on all 7 systems that we have. I checked db_inputs conf on both Deployment Server and under shcluster apps folder, and the Deployer. I am not seeing anywhere that has the old code in it. Is there anywhere else to check? Or any other ideas? I just created a brand new db_inputs called something else with just the stored procedure so we can get our data. However, the old stuff is still getting indexed, and they're a waste of space.

Thanks, hope this makes sense.

0 Karma
1 Solution

Communicator

This was caused by db_inputs being on both the deployer and search heads.

View solution in original post

0 Karma

Communicator

This was caused by db_inputs being on both the deployer and search heads.

View solution in original post

0 Karma