All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect: Persistent db_inputs post deletion

sochsenbein
Communicator
‎10-25-2018 08:11 AM

Our current setup looks like this:

Deployment Server
Deployer
Indexer 1
Indexer 2
Search Head 1
Search Head 2
Search Head 3

A couple of months ago, I added a db_input for our Management app. The input took raw SQL. Within that SQL it returned a warning level and alarm level hard coded. Warning = 4000, Alarm = 3500.

However, this week, I took the SQL and stored it as a Stored Procedure on our MSSQL database. I edited the exact same db input, replacing the SQL with "EXEC splunk.dbo.moves". In that stored procedure, I changed Warning to 3000 and Alarm to 2500. I have the input to run every 5 minutes. Now, it returns both the old data and the new data. Meaning I am seeing Warning = 4000 sometimes and 3000 other times. Same goes for Alarm.

I restarted Splunk on all 7 systems that we have. I checked db_inputs conf on both Deployment Server and under shcluster apps folder, and the Deployer. I am not seeing anywhere that has the old code in it. Is there anywhere else to check? Or any other ideas? I just created a brand new db_inputs called something else with just the stored procedure so we can get our data. However, the old stuff is still getting indexed, and they're a waste of space.

Thanks, hope this makes sense.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sochsenbein
Communicator
‎06-12-2019 03:19 PM

This was caused by db_inputs being on both the deployer and search heads.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sochsenbein
Communicator
‎06-12-2019 03:19 PM

This was caused by db_inputs being on both the deployer and search heads.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...