All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk DB Connect not indexing all the records when using the Rising Column Input Type?

luislema
Path Finder
‎12-11-2016 01:01 PM

I am using Splunk 6.5.1 and the DB Connect App to index data from SQL Server databases. I use the rising column on a primary key so the indexer will only load new records. The first time it runs fine, but in subsequent runs, the indexer is not loading all the columns. It usually skips 1-2 records when it runs, some runs don't skip any records though. I've tried it with a couple of databases on different servers and had the same result. I also tried the Advanced Input Type with a Checkpoint value, and it loads duplicate records. I am not sure what the issue is. I've used Splunk DB Connect 2 before and I've never had any issues like this.

Reply
1 Solution
Solved! Jump to solution
Solution

nabeel652
Builder
‎12-19-2016 07:49 PM

is the rising column on an auto-increment field? If not so, there is a chance that the records don't come in order and DB Connect will ignore the events with value less than the rising column value it last saw.

You can check it in /opt/splunk/var/lib/persistantstorage/dbx//state.xml file what value it has stored last. you need to find the folder relevant to your query as the names are just given in form of random numbers.

View solution in original post

Reply
Solved! Jump to solution
Solution

nabeel652
Builder
‎12-19-2016 07:49 PM

is the rising column on an auto-increment field? If not so, there is a chance that the records don't come in order and DB Connect will ignore the events with value less than the rising column value it last saw.

You can check it in /opt/splunk/var/lib/persistantstorage/dbx//state.xml file what value it has stored last. you need to find the folder relevant to your query as the names are just given in form of random numbers.

Reply
Solved! Jump to solution

luislema
Path Finder
‎12-19-2016 07:53 PM

Yes, for the rising column to work the data can't be on a secondary replica, and the rising column needs to be an identity column.

0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎12-19-2016 07:56 PM

Best practice I have seen so far it to make timestamp column your rising column. This will eliminate the chances of skipping events due to not matching rising column condition.

0 Karma
Reply
Solved! Jump to solution

luislema
Path Finder
‎12-19-2016 08:02 PM

Yes, unless you have 2 events with the same timestamp.

0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎12-19-2016 08:07 PM

It is the time row was added. It is guaranteed to be unique

0 Karma
Reply
Solved! Jump to solution

luislema
Path Finder
‎12-19-2016 08:15 PM

Right, timestamp data type is unique. I was getting it confused with the datetime data type.

0 Karma
Reply
Solved! Jump to solution

thompsonsgg
New Member
‎12-15-2016 02:28 PM

Hi, have you had any luck with this? I am having the same issue.

0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎12-19-2016 06:35 PM

is the rising column on an auto-increment field? If not so, there is a chance that the records don't come in order and DB Connect will ignore the events with value less than the rising column value it last saw.

You can check it in /opt/splunk/var/lib/persistantstorage/dbx//state.xml file what value it has stored last. you need to find the folder relevant to your query as the names are just given in form of random numbers.

0 Karma
Reply
Solved! Jump to solution

luislema
Path Finder
‎12-19-2016 06:44 PM

Yes, the rising column is a Primary Key Identity column. You can also see the Checkpoint Value if you go to the DB Connect app, then Operations -> DB Inputs, click on your Input, then go to step 2 of 4 "Choose and Preview Table". At the bottom of that step it will show the Checkpoint Value.

0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎12-19-2016 06:47 PM

Is it auto-increment or the getting its value from some other means? Just asking because I also had same problem and found out that the database was somehow not saving records in order

Reply
Solved! Jump to solution

luislema
Path Finder
‎12-19-2016 07:47 PM

It seems you were right. It was because the rising column was not an identity column. I got confused because I was trying on 2 different databases, one had the identity column but it was a secondary replica so the data was being synchronized from the primary server. This is where I originally had the issue and assumed it was because of the replication. Therefore, I did the same test on another database without replication but I didn't set the primary key as an identity. After you commented I set it up as identity and so far it has been running fine without skipping any records. Can you add an answer so I can select it as a solution?

0 Karma
Reply
Solved! Jump to solution

luislema
Path Finder
‎12-19-2016 06:49 PM

Yes, it's an identity column so it auto increments.

0 Karma
Reply
Solved! Jump to solution

luislema
Path Finder
‎12-16-2016 09:20 AM

If you are having the same issue you should up vote my post.

0 Karma
Reply
Solved! Jump to solution

luislema
Path Finder
‎12-15-2016 02:54 PM

No, I am currently contacting Splunk support.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...