All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

db_connect query works but does not store in index

agentguerry
Path Finder
‎05-07-2020 09:35 AM

We have a query running as an input in db_connect.
The query itself is successful, (takes about 30 seconds to run)
we have our query timeout set to 300 seconds just to ensure it would run.

Once we set up our cron job to run it and store it to our index (index=dbx)

we still see no results being saved 10 minutes after the query should have ran via cron.

Any insights on what could be happening?

0 Karma
Reply

terence_freeman
New Member
‎05-08-2020 07:19 AM

We are using a Search Head Cluster with Index Cluster.

3 Search Heads
3 Index Peer Nodes

DB Connect is installed on all Search Heads by using the deployer. We created the 'dbx' index on the Index Master and pushed out the new cluster bundle to each peer node. We also tried creating the 'dbx' index directly on one of the SH instances and that does not work either. When we know the input query should have run we are clicking on 'find events' and we aren't seeing any results. We have also tried the search from the 'Search App' as well and nothing.

0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎05-07-2020 01:44 PM

A few questions and some insight...
Where do you have DB Connect installed?
How are you verifying there are no events in your index, and/or from where are you searching?
Depending on where you are searching, what app context are you using?

By default, DB Connect does not have privileges to search a indexer/cluster. If you are using a standalone node to run DB Connect, you'll have to configure it as a search head. Otherwise, it basically acts as a forwarder.

If you installed it on a search head (which otherwise has access to a indexer/cluster), you still cannot search the index from within the DB Connect app context unless you assign it permissions to do so.

Try searching from a search head using the search app context to verify if events are being sent to your index.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...