All Apps and Add-ons

Splunk DB Connect: very little data being indexed

Splunk Employee
Splunk Employee

Hi,

I do see thousands of records being read by my query in the log file, splunk_app_db_connect_job_metrics.log.

I use a rising column (AutoID in this case for McAfee ePO database). I have a custom index named epo configured in the DBConnect Input.

However, very little of those records are visible in the epo index from Search. Realtime or relative-time search yields only a few events (less than two hundred in last 1 hr). Expanding the search time range doesn't make much difference.

Where are the bulk of the records going? Is there a way to see the values of the rising column being stored in Splunk ?

2017-10-31 23:15:18.981 +0000 INFO  c.s.dbx.server.task.listeners.JobMetricsListener - action=collect_job_metrics connection=McAfee-EPO-DB-Conn-Prod jdbc_url=null record_read_success_count=7690 db_read_time=18298 hec_upload_time=565 hec_record_process_time=77 format_hec_success_count=7689 hec_upload_bytes=13826240 status=COMPLETED input_name=McAfee_ePO-feed-extended batch_size=1000 error_threshold=N/A is_jmx_monitoring=false start_time=2017-10-31_11:15:00 end_time=2017-10-31_11:15:18 duration=18979 read_count=46951 write_count=46951 filtered_count=0 error_count=0

Any hint is appreciated! Thanks in advance.

best regards,
Shreedeep.

0 Karma
1 Solution

Path Finder

Rising file can be found in $splunk_home/var/lib/splunk/modinputs/server/splunk_app_db_connect

Do all your database events have a valid time stamp value? Or have you setup rules to filter out events as they go to indexer?

View solution in original post

Path Finder

Rising file can be found in $splunk_home/var/lib/splunk/modinputs/server/splunk_app_db_connect

Do all your database events have a valid time stamp value? Or have you setup rules to filter out events as they go to indexer?

View solution in original post

Splunk Employee
Splunk Employee

I don't have filter rules and yes all rows have UTC timestamps.
Thanks for the location of the rising value persistence file. I do see the value increasing which is a good sign.

After a night of running, the amount out of data now being indexed have ramped up. Initial few hours data was trickling in.

0 Karma

Splunk Employee
Splunk Employee

The real problem turned out to be the Timezone setting on the DB connection in DBConnect. It was set to PST which was overriding the UTC timestamp column of the table itself. Events were getting ingested with future dates and the search was not finding the latest events. We set the DB server, the McAfee ePO Server and Splunk to GMT and set the Timzone as GMT on the DB connection on DBConnect as GMT too. Everything worked fine after that.

0 Karma