All Apps and Add-ons

Why isn't Splunk DB Connect 2 generating any events?

adacpt
Explorer

This is a brand new database that I'm connecting to in Splunk DB Connect 2 and I can see that my Input is valid and the sample query is retrieving the correct results in the 'Choose and Preview Table' section, but it's not generating the source, sourcetype, or any actual events in the Search and Reporting app. I'm stumped as to why I'm not seeing any events.

muebel
SplunkTrust
SplunkTrust

Hi adacpt, I believe this doc will be helpful http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Troubleshooting

Essentially, reference the log to get a better idea exactly what is going on when the input script runs. If Splunk is indexing general inputs fine (the normal _internal stuff a the very least), then you should be able to figure this out through the dbx log. Turn up the logging level if necessary.

Also, do you have permissions to view the index in question? Can you find any other sort of events in that index? I'm assuming you are admin on the search head in question, but missing events could indicate an authorization issue. (probably unlikely)

0 Karma

briancrandall
Explorer

I'm having this problem too. The obvious follow up questions are is this a distributed deployment and if so do you have outputs.conf configured to send to your indexers. In my case the answer is yes to both. My input is running successfully every 5 minutes but no data is getting indexed.

0 Karma

briancrandall
Explorer

In case anyone stumbles across this later my problem was the timestamp. I changed the parameters to use the current index time instead of choosing a column from the data and now data is getting indexed. Next up is figuring out how to get things working using the column I want for the timestamp.

0 Karma

adacpt
Explorer

Thx, briancrandall. This fixed my issue, as well.

adacpt
Explorer

I think I may have found something that could help on this. It looked my timedate stamp was not exactly what it was looking for. I had to check the Java Time option and then specify the timedate format from my database. That fixed my issue and the event times are now the same as my MySQL row times. Hope that helps.

adacpt
Explorer

In my case, the answer to both questions is no. i didn't see anything in the documentation about changing inputs.conf or outputs.conf to accommodate the input that DB Connect 2 creates. Is that something you did?

0 Karma

briancrandall
Explorer

If you're running dbconnect on an indexer then the data will be indexed just fine. However, if you are running dbconnect on a standalone search head with separate indexers you need to set up outputs.conf to forward the data to your indexers.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...