We are seeing logs in Splunk but there are lagging; meaning they are always 3 days behind. I.E we can only see logs from the 14th and prior. Is there a some time format or other configuration that needs to be changed?
As per the documentation https://docs.splunk.com/Documentation/DBX/3.0.1/DeployDBX/Createandmanagedatabaseinputs is it possible your max rows to retrieve is too small?
There is also a query timeout of 30 seconds within the db_inputs.conf you could possibly be hitting https://docs.splunk.com/Documentation/DBX/3.0.1/DeployDBX/dbinputs
As per the documentation https://docs.splunk.com/Documentation/DBX/3.0.1/DeployDBX/Createandmanagedatabaseinputs is it possible your max rows to retrieve is too small?
There is also a query timeout of 30 seconds within the db_inputs.conf you could possibly be hitting https://docs.splunk.com/Documentation/DBX/3.0.1/DeployDBX/dbinputs
thank you for the advice, much appreciated. Still having and issue after I changed the max_rows value to all, (max_row = all) which is the default from what i have read. >>{/splunk/etc/apps/dbx/local/inputs.conf}
Do the DB Connect logs in /opt/splunk/var/log/splunk/splunk_app_db_connect_* give you any hints?
You can also find them in the internal index, they might tell you waht is happening...
Furthermore, are you sure the records are old ? i.e. do you have an issue parsing the timestamps/using the wrong time column or similar ?
hello again, no there are no error messages in the dbx.log
======================================================================================
2017-03-20 11:45:34.916 dbx4196:INFO:TailDatabaseMonitor - Database monitor=[dbmon-tail://epo_b-edc/epo_b-edc_5] finished with status=true resultCount=10000 in duration=886266 ms
2017-03-20 11:45:34.916 dbx4196:INFO:ExecutionContext - Execution finished in duration=886266 ms
what is happening is that the logs are coming, but they are three days behind, so today is the 20th, we can see logs from up to the 17th only. Tomorrow the 21st we will see logs up to the 18th.
The logs indicate:
resultCount=10000
Did you try increasing this number to see if you just need more data per-request? Do you have more than 10K of rows per day? Or alternatively you can set the query to run more often/more times per day?
So we decided to move on to DB Connect 2 for our EPO events, however I am seeing two different database drivers for this, whicn is the right one?
sqljdbc4.jar and postgresql-9.4.1212.jre6.jar
is this also in the local.con file because I am not seeing it.
the other config change that I made proved not have worked.