I have connected Splunk to MS SQL server and got the data using DB Connect and built a dashboard with that data.
Then 2 things happen:
1) It stopped indexing data from day 2 (I thought it was going to get real-time data).
2) The dashboard takes ages to run commands and give results (Is it common? Can anyone tell the reason?).
Hi,
Check your DBConnect Connection Health from the DBConnect App to make sure connection status of the DBConnect App.
Is your dashboard running searches against Indexer or database? If it's from Indexer, make sure DBConnect is configured to ingest required data only from the database, and also use specific index table if your DB Input have larger data set.
Have you checked the cron schedule for the DBConnect DataLab? Also, is DBConnect app showing any errors?
We had an issue where the port used by DBConnect was not running and so it had stopped executing the data labs.
The dashboard running slowly should not be related to the DBConnect application as it will be fetching events from the Index and not the app. You might want to check if you have any performance issues on your Indexer(s).
Which version of Splunk are you using?
If you are using 7.2.x versions which had a number of CPU and memory implications. 7.2.4 addressed most of them.
You can try | noop search_optimization=false
and see, Which I think would make your search a little better.
If you can share an example search you're using.