Solved: Splunk DB Connect tail doesn't work

Micmac · ‎03-24-2014

Hello,

I just install DB connect in tail mode on MySQL DB and the daemon tail never works.

Using Splunk UI I can successfully connect and query the MySQL DB.

dbx.log extract :

dbx6092:INFO:BridgeSession - Executing Bridge command: BridgeExecutionInfo{className=com.splunk.dbx.command.DatabaseQueryCommand}
dbx6092:INFO:DatabaseQueryCommand - action=executing SQL query="SELECT * FROM `<mytable>` WHERE `action` LIKE '%action%' " on database=<mydb>
dbx6092:WARN:DatabaseQueryCommand - SearchResultsInfo file null doesn't exist

My query return data as expected.

Below the Java Bridge Server Status (data get from UI DB apps -> setting -> "Java Bridge Server Status")
with my inputs.conf and database.conf.

If someone have any idea ... some additional test, file to see or anything else ?

Thanks,

Status for Splunkd{host='xxxx', sessionKey='xxxx'} (com.splunk.rest.Splunkd)
Splunkd REST connection with sessionKey=xxxxxx (VALID) requests=811

Status for Pooled database factory (com.splunk.dbx.sql.factory.PooledConnectionFactory)
Loaded databases:
    Database{name='<mydbname>', databaseType=MySQL{}, host='xx.xx.xx.xx', port=3306, username='xxxx', database='<mysqldb>'}
    Pool: GenericKeyedObjectPool{active=0, idle=1, maxActive=15, maxIdle=5}

Status for DatabaseMonitoringManager (com.splunk.dbx.monitor.DatabaseMonitoringManager)
Inputs:
    [dbmon-tail://<mydbname>/<mydevice>]: valid=true disabled=false scheduleType=AUTO interval=auto running=false

Status for JavaBridgeServer (com.splunk.bridge.JavaBridgeServer)
    listening on 127.0.0.1:17865 running=true executedSessions=41

Status for ProcessWatcher (com.splunk.bridge.JavaBridgeServer$ProcessWatcher)
    Watching pid file: /opt/splunk/var/run/splunk/dbx/dbx.lock with pid=22420 failures=0

cat inputs.conf

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://<mydbname>/<mydevice>]
host = <myhost>
index = default
output.format = kv
output.timestamp = 1
output.timestamp.column = 1time
query = SELECT * FROM `1logs` WHERE `1action` LIKE '%action%'
sourcetype = db_mysql
tail.rising.column = 1time
interval = 60
table = mytable

cat database.conf
[mydbname]
database = mysqldb
host = xx.xx.xx.xx
isolation_level = DATABASE_SETTING
password = enc:xxxxxxxxxxx
port = 3306
readonly = 1
type = mysql
username = xxxxx

theouhuios · ‎03-24-2014

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}}

View solution in original post

Micmac · ‎03-27-2014

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

theouhuios · ‎03-24-2014

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}}

Micmac · ‎03-27-2014

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

Splunk DB Connect tail doesn't work

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

Splunk DB Connect tail doesn't work

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI