All Apps and Add-ons

db_connect query works but does not store in index

agentguerry
Path Finder

We have a query running as an input in db_connect.
The query itself is successful, (takes about 30 seconds to run)
we have our query timeout set to 300 seconds just to ensure it would run.

Once we set up our cron job to run it and store it to our index (index=dbx)

we still see no results being saved 10 minutes after the query should have ran via cron.

Any insights on what could be happening?

0 Karma

terence_freeman
New Member

We are using a Search Head Cluster with Index Cluster.

3 Search Heads
3 Index Peer Nodes

DB Connect is installed on all Search Heads by using the deployer. We created the 'dbx' index on the Index Master and pushed out the new cluster bundle to each peer node. We also tried creating the 'dbx' index directly on one of the SH instances and that does not work either. When we know the input query should have run we are clicking on 'find events' and we aren't seeing any results. We have also tried the search from the 'Search App' as well and nothing.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

A few questions and some insight...
Where do you have DB Connect installed?
How are you verifying there are no events in your index, and/or from where are you searching?
Depending on where you are searching, what app context are you using?

By default, DB Connect does not have privileges to search a indexer/cluster. If you are using a standalone node to run DB Connect, you'll have to configure it as a search head. Otherwise, it basically acts as a forwarder.

If you installed it on a search head (which otherwise has access to a indexer/cluster), you still cannot search the index from within the DB Connect app context unless you assign it permissions to do so.

Try searching from a search head using the search app context to verify if events are being sent to your index.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...