Solved: Splunk DB Connect tail doesn't work

Micmac · ‎03-24-2014

Hello,

I just install DB connect in tail mode on MySQL DB and the daemon tail never works.

Using Splunk UI I can successfully connect and query the MySQL DB.

dbx.log extract :

dbx6092:INFO:BridgeSession - Executing Bridge command: BridgeExecutionInfo{className=com.splunk.dbx.command.DatabaseQueryCommand}
dbx6092:INFO:DatabaseQueryCommand - action=executing SQL query="SELECT * FROM `<mytable>` WHERE `action` LIKE '%action%' " on database=<mydb>
dbx6092:WARN:DatabaseQueryCommand - SearchResultsInfo file null doesn't exist

My query return data as expected.

Below the Java Bridge Server Status (data get from UI DB apps -> setting -> "Java Bridge Server Status")
with my inputs.conf and database.conf.

If someone have any idea ... some additional test, file to see or anything else ?

Thanks,

Status for Splunkd{host='xxxx', sessionKey='xxxx'} (com.splunk.rest.Splunkd)
Splunkd REST connection with sessionKey=xxxxxx (VALID) requests=811

Status for Pooled database factory (com.splunk.dbx.sql.factory.PooledConnectionFactory)
Loaded databases:
    Database{name='<mydbname>', databaseType=MySQL{}, host='xx.xx.xx.xx', port=3306, username='xxxx', database='<mysqldb>'}
    Pool: GenericKeyedObjectPool{active=0, idle=1, maxActive=15, maxIdle=5}

Status for DatabaseMonitoringManager (com.splunk.dbx.monitor.DatabaseMonitoringManager)
Inputs:
    [dbmon-tail://<mydbname>/<mydevice>]: valid=true disabled=false scheduleType=AUTO interval=auto running=false

Status for JavaBridgeServer (com.splunk.bridge.JavaBridgeServer)
    listening on 127.0.0.1:17865 running=true executedSessions=41

Status for ProcessWatcher (com.splunk.bridge.JavaBridgeServer$ProcessWatcher)
    Watching pid file: /opt/splunk/var/run/splunk/dbx/dbx.lock with pid=22420 failures=0

cat inputs.conf

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://<mydbname>/<mydevice>]
host = <myhost>
index = default
output.format = kv
output.timestamp = 1
output.timestamp.column = 1time
query = SELECT * FROM `1logs` WHERE `1action` LIKE '%action%'
sourcetype = db_mysql
tail.rising.column = 1time
interval = 60
table = mytable

cat database.conf
[mydbname]
database = mysqldb
host = xx.xx.xx.xx
isolation_level = DATABASE_SETTING
password = enc:xxxxxxxxxxx
port = 3306
readonly = 1
type = mysql
username = xxxxx

theouhuios · ‎03-24-2014

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}}

View solution in original post

Micmac · ‎03-27-2014

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

theouhuios · ‎03-24-2014

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}}

Micmac · ‎03-27-2014

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

Splunk DB Connect tail doesn't work

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes