All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why isn't Splunk DB Connect 2 generating any events?

adacpt
Explorer
‎06-15-2016 04:17 AM

This is a brand new database that I'm connecting to in Splunk DB Connect 2 and I can see that my Input is valid and the sample query is retrieving the correct results in the 'Choose and Preview Table' section, but it's not generating the source, sourcetype, or any actual events in the Search and Reporting app. I'm stumped as to why I'm not seeing any events.

Reply

muebel
SplunkTrust
SplunkTrust
‎06-16-2016 08:21 AM

Hi adacpt, I believe this doc will be helpful http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Troubleshooting

Essentially, reference the log to get a better idea exactly what is going on when the input script runs. If Splunk is indexing general inputs fine (the normal _internal stuff a the very least), then you should be able to figure this out through the dbx log. Turn up the logging level if necessary.

Also, do you have permissions to view the index in question? Can you find any other sort of events in that index? I'm assuming you are admin on the search head in question, but missing events could indicate an authorization issue. (probably unlikely)

0 Karma
Reply

briancrandall
Explorer
‎06-16-2016 07:43 AM

I'm having this problem too. The obvious follow up questions are is this a distributed deployment and if so do you have outputs.conf configured to send to your indexers. In my case the answer is yes to both. My input is running successfully every 5 minutes but no data is getting indexed.

0 Karma
Reply

briancrandall
Explorer
‎06-16-2016 08:38 AM

In case anyone stumbles across this later my problem was the timestamp. I changed the parameters to use the current index time instead of choosing a column from the data and now data is getting indexed. Next up is figuring out how to get things working using the column I want for the timestamp.

0 Karma
Reply

adacpt
Explorer
‎06-16-2016 09:36 AM

Thx, briancrandall. This fixed my issue, as well.

Reply

adacpt
Explorer
‎06-16-2016 10:01 AM

I think I may have found something that could help on this. It looked my timedate stamp was not exactly what it was looking for. I had to check the Java Time option and then specify the timedate format from my database. That fixed my issue and the event times are now the same as my MySQL row times. Hope that helps.

Reply

adacpt
Explorer
‎06-16-2016 08:00 AM

In my case, the answer to both questions is no. i didn't see anything in the documentation about changing inputs.conf or outputs.conf to accommodate the input that DB Connect 2 creates. Is that something you did?

0 Karma
Reply

briancrandall
Explorer
‎06-16-2016 08:06 AM

If you're running dbconnect on an indexer then the data will be indexed just fine. However, if you are running dbconnect on a standalone search head with separate indexers you need to set up outputs.conf to forward the data to your indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...