Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk DB Connect tail doesn't work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I just install DB connect in tail mode on MySQL DB and the daemon tail never works.
Using Splunk UI I can successfully connect and query the MySQL DB.
dbx.log extract :
dbx6092:INFO:BridgeSession - Executing Bridge command: BridgeExecutionInfo{className=com.splunk.dbx.command.DatabaseQueryCommand}
dbx6092:INFO:DatabaseQueryCommand - action=executing SQL query="SELECT * FROM `<mytable>` WHERE `action` LIKE '%action%' " on database=<mydb>
dbx6092:WARN:DatabaseQueryCommand - SearchResultsInfo file null doesn't exist
My query return data as expected.
Below the Java Bridge Server Status (data get from UI DB apps -> setting -> "Java Bridge Server Status")
with my inputs.conf and database.conf.
If someone have any idea ... some additional test, file to see or anything else ?
Thanks,
Status for Splunkd{host='xxxx', sessionKey='xxxx'} (com.splunk.rest.Splunkd)
Splunkd REST connection with sessionKey=xxxxxx (VALID) requests=811
Status for Pooled database factory (com.splunk.dbx.sql.factory.PooledConnectionFactory)
Loaded databases:
Database{name='<mydbname>', databaseType=MySQL{}, host='xx.xx.xx.xx', port=3306, username='xxxx', database='<mysqldb>'}
Pool: GenericKeyedObjectPool{active=0, idle=1, maxActive=15, maxIdle=5}
Status for DatabaseMonitoringManager (com.splunk.dbx.monitor.DatabaseMonitoringManager)
Inputs:
[dbmon-tail://<mydbname>/<mydevice>]: valid=true disabled=false scheduleType=AUTO interval=auto running=false
Status for JavaBridgeServer (com.splunk.bridge.JavaBridgeServer)
listening on 127.0.0.1:17865 running=true executedSessions=41
Status for ProcessWatcher (com.splunk.bridge.JavaBridgeServer$ProcessWatcher)
Watching pid file: /opt/splunk/var/run/splunk/dbx/dbx.lock with pid=22420 failures=0
cat inputs.conf
[script://./bin/jbridge_server.py]
disabled = 0
[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
[dbmon-tail://<mydbname>/<mydevice>]
host = <myhost>
index = default
output.format = kv
output.timestamp = 1
output.timestamp.column = 1time
query = SELECT * FROM `1logs` WHERE `1action` LIKE '%action%'
sourcetype = db_mysql
tail.rising.column = 1time
interval = 60
table = mytable
cat database.conf
[mydbname]
database = mysqldb
host = xx.xx.xx.xx
isolation_level = DATABASE_SETTING
password = enc:xxxxxxxxxxx
port = 3306
readonly = 1
type = mysql
username = xxxxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use {{WHERE $rising_column$ > ?}} when its a tail input.
Please check this document
try this
SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks !
I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.
Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should use {{WHERE $rising_column$ > ?}} when its a tail input.
Please check this document
try this
SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks !
I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.
Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?
Thanks,
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
