All Apps and Add-ons

db_connect query works but does not store in index

agentguerry
Path Finder

We have a query running as an input in db_connect.
The query itself is successful, (takes about 30 seconds to run)
we have our query timeout set to 300 seconds just to ensure it would run.

Once we set up our cron job to run it and store it to our index (index=dbx)

we still see no results being saved 10 minutes after the query should have ran via cron.

Any insights on what could be happening?

0 Karma

terence_freeman
New Member

We are using a Search Head Cluster with Index Cluster.

3 Search Heads
3 Index Peer Nodes

DB Connect is installed on all Search Heads by using the deployer. We created the 'dbx' index on the Index Master and pushed out the new cluster bundle to each peer node. We also tried creating the 'dbx' index directly on one of the SH instances and that does not work either. When we know the input query should have run we are clicking on 'find events' and we aren't seeing any results. We have also tried the search from the 'Search App' as well and nothing.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

A few questions and some insight...
Where do you have DB Connect installed?
How are you verifying there are no events in your index, and/or from where are you searching?
Depending on where you are searching, what app context are you using?

By default, DB Connect does not have privileges to search a indexer/cluster. If you are using a standalone node to run DB Connect, you'll have to configure it as a search head. Otherwise, it basically acts as a forwarder.

If you installed it on a search head (which otherwise has access to a indexer/cluster), you still cannot search the index from within the DB Connect app context unless you assign it permissions to do so.

Try searching from a search head using the search app context to verify if events are being sent to your index.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Check out this month’s brand new Splunk Lantern articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...