All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect: Why does DB Connect no longer stores results after query?

datorres
Explorer
‎03-08-2018 01:08 PM

Issue

DB Connect no longer stores results after query. It was working fine in the past, but now just doesn't work.

Troubleshooting Steps

  • Changed query in DB Input to something simpler
  • Deleted and recreated DB Input, using as many default values as possible
  • Created additional DB Inputs for same database
  • Created additional DB Inputs for different databases on different hosts
  • Ran tcpdump on all devices to ensure that DB Connect was able to successfully connect, query, and receive results
  • Tried using different indexes and sourcetype names for each query
  • Tried upgrading DB Connect app from 3.1.0 to 3.1.2.

Results

  • Splunk search-head successfully connects to port 3306 on target machine, performs query, receives results.
  • Try to query results in Search (timeframe "All Time"); no results.

Additional Info

  • Splunk Enterprise v7.0
  • Splunk DB Connect v3.1.2
0 Karma
Reply

datorres
Explorer
‎03-29-2018 11:51 AM

Finally figured out the problem. There was an issue with indexes being pointed to the incorrect indexers, so the search head wasn't able to send the results. Once that was fixed, the problem was resolved.

Thank you to all who provided suggestions and aided in our troubleshooting efforts!

0 Karma
Reply

tmuth_splunk
Splunk Employee
Splunk Employee
‎03-14-2018 06:49 AM

I ran into this the other day in a docker demo environment. After bouncing the HWF, input started working again. It's worth a try if you haven't bounced it yet.

0 Karma
Reply

baegoon
Explorer
‎03-14-2018 08:48 AM

Do you mean bouncing the database server where we are pulling data from via db_connect? Or bouncing the search head where db_connect is installed? Or the Splunk Indexer where we are supposed see the indexed queries? Just for clarification.

0 Karma
Reply

tmuth_splunk
Splunk Employee
Splunk Employee
‎03-14-2018 08:50 AM

If DBX is installed on a search head (SH) and not a search head cluster (SHC) and this is where you're running your inputs, then in your case you would need to bounce the search head.

0 Karma
Reply

damiensurat
Contributor
‎03-08-2018 03:02 PM

Are you using rising columns?

Reply

baegoon
Explorer
‎03-13-2018 07:12 AM

Also we no errors are reported in the internal index, so we can't track even if it is a permissions issue.

0 Karma
Reply

datorres
Explorer
‎03-08-2018 03:23 PM

The original query was using a rising column. During troubleshooting, I created other queries that use batch instead. None work.

0 Karma
Reply

damiensurat
Contributor
‎03-08-2018 03:05 PM

Also possibly a permissions issue? https://answers.splunk.com/answers/474713/splunk-db-connect-after-creating-a-rising-column-d.html

Reply

datorres
Explorer
‎03-08-2018 03:31 PM

I thought so too, so I double-checked. Permissions are default of:

Roles               Read    Write
db_connect_admin       √        √
db_connect_user        √
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...