We have a query running as an input in db_connect.
The query itself is successful, (takes about 30 seconds to run)
we have our query timeout set to 300 seconds just to ensure it would run.
Once we set up our cron job to run it and store it to our index (index=dbx)
we still see no results being saved 10 minutes after the query should have ran via cron.
Any insights on what could be happening?
We are using a Search Head Cluster with Index Cluster.
3 Search Heads
3 Index Peer Nodes
DB Connect is installed on all Search Heads by using the deployer. We created the 'dbx' index on the Index Master and pushed out the new cluster bundle to each peer node. We also tried creating the 'dbx' index directly on one of the SH instances and that does not work either. When we know the input query should have run we are clicking on 'find events' and we aren't seeing any results. We have also tried the search from the 'Search App' as well and nothing.
A few questions and some insight...
Where do you have DB Connect installed?
How are you verifying there are no events in your index, and/or from where are you searching?
Depending on where you are searching, what app context are you using?
By default, DB Connect does not have privileges to search a indexer/cluster. If you are using a standalone node to run DB Connect, you'll have to configure it as a search head. Otherwise, it basically acts as a forwarder.
If you installed it on a search head (which otherwise has access to a indexer/cluster), you still cannot search the index from within the DB Connect app context unless you assign it permissions to do so.
Try searching from a search head using the search app context to verify if events are being sent to your index.