All Apps and Add-ons

heavy forwarder does not forward data from db connect

Path Finder

Hello,

I have set up a heavy forwarder with DBX. The connection to my sample database (mySQL) works, but the data is not forwarded to my indexer.
I tested the connection by forwarding the syslog from the machine to my indexer, this worked fine.
I read SPLUNK answers up and down but cannot find the solution to my problem.
According to other answers, it should be enough to have setup outputs.conf correctly, which I think I proved by forwarding syslog.
I searched metrics.log to find any hint of forwarding my data, but did not find any (searched for "test" which is the index the data should be stored in)
db_inputs.conf:
[all_testtable]
batch_upload_size = 1000
connection = testconnect
disabled = 0
fetch_size = 300
index = test
index_time_mode = current
interval = 1200
max_rows = 0
max_single_checkpoint_file_size = 10485760
mode = rising
query = SELECT * FROM testbase.testtable where ID > ? order by ID
query_timeout = 30
sourcetype = Standard
tail_rising_column_number = 1

Splunk version (both forwarder and indexer) is 7.1.2
DB Connect Version is 3.1.3

Any help appreciated

0 Karma
1 Solution

Path Finder

I called support and got an older version (2.4.1) this works perfectly so far.
I hope DBX will notice that there seems to be a problem forwarding via HEC and fix it soon.

View solution in original post

0 Karma

Path Finder

I called support and got an older version (2.4.1) this works perfectly so far.
I hope DBX will notice that there seems to be a problem forwarding via HEC and fix it soon.

View solution in original post

0 Karma

Path Finder

Thanks,
it did not lead me to a solution but it eventually brought me to this piece of documentation : http://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Troubleshooting#Debug_HTTP_Event_Collector_....
It seems here is the problem because I also found :
java.io.IOException: HTTP Error 400: Bad Request in /opt/splunk/var/log/splunk/splunk_app_db_connect_server.log

But here I ran into the next dead end: I read about setting up HEC tokens, but I could not find how to tell the forwarder to use this token (or the other way around, I set up tokens on both sides, but of course they are different)

0 Karma

Contributor

check your cron schedule maybe?

also I would be looking in the db connect logs not the metric logs. Start here $SPLUNK_HOME\var\log\splunk_app_db_connect_audit_command.date.log

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!