All Apps and Add-ons

db_connect query works but does not store in index

agentguerry
Path Finder

We have a query running as an input in db_connect.
The query itself is successful, (takes about 30 seconds to run)
we have our query timeout set to 300 seconds just to ensure it would run.

Once we set up our cron job to run it and store it to our index (index=dbx)

we still see no results being saved 10 minutes after the query should have ran via cron.

Any insights on what could be happening?

0 Karma

terence_freeman
New Member

We are using a Search Head Cluster with Index Cluster.

3 Search Heads
3 Index Peer Nodes

DB Connect is installed on all Search Heads by using the deployer. We created the 'dbx' index on the Index Master and pushed out the new cluster bundle to each peer node. We also tried creating the 'dbx' index directly on one of the SH instances and that does not work either. When we know the input query should have run we are clicking on 'find events' and we aren't seeing any results. We have also tried the search from the 'Search App' as well and nothing.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

A few questions and some insight...
Where do you have DB Connect installed?
How are you verifying there are no events in your index, and/or from where are you searching?
Depending on where you are searching, what app context are you using?

By default, DB Connect does not have privileges to search a indexer/cluster. If you are using a standalone node to run DB Connect, you'll have to configure it as a search head. Otherwise, it basically acts as a forwarder.

If you installed it on a search head (which otherwise has access to a indexer/cluster), you still cannot search the index from within the DB Connect app context unless you assign it permissions to do so.

Try searching from a search head using the search app context to verify if events are being sent to your index.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...