All Apps and Add-ons

oracle data input causing errors log in splunkd?

Path Finder

Hi,

Am trying to receive oracle logs to splunk server using dbipoll script.

However,splunkd.log has the following errors since the script is scheduled to run every 60 secs,although there are still some events coming in from oracle server:

06-24-2010 14:15:56.011 INFO TcpInputProc - Connection in raw mode from IP=1.2.3.4
06-24-2010 14:15:58.980 INFO TcpInputProc - Hostname=1.2.3.4 closed connection
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
06-24-2010 14:16:25.517 ERROR stats - The argument '>' is invalid.
06-24-2010 14:16:55.836 INFO TcpInputProc - Connection in raw mode from IP=1.2.3.4
06-24-2010 14:16:58.944 INFO TcpInputProc - Hostname=1.2.3.4 closed connection

I suspect the error lies in the script but not sure about it,as can't seem to find anything wrong with it yet. Or could it be some other issues?

Tags (2)
0 Karma
1 Solution

Path Finder

Thanks.
The line:
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
is referring to one of my scheduled search...

That aside,Im still receiving oracle logs at tcp port using the script,on and off. However I noticed during certain period of time in a day there are 0 events recorded in Splunk. This period usually from 12pm noon till 12 midnight..

I've checked the actual oracle logs and there are events during this time.Oracle doesn't seem to have any errors as well. Any idea?

View solution in original post

0 Karma

Path Finder

Thanks.
The line:
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
is referring to one of my scheduled search...

That aside,Im still receiving oracle logs at tcp port using the script,on and off. However I noticed during certain period of time in a day there are 0 events recorded in Splunk. This period usually from 12pm noon till 12 midnight..

I've checked the actual oracle logs and there are events during this time.Oracle doesn't seem to have any errors as well. Any idea?

View solution in original post

0 Karma

Path Finder

adding DATETIME_CONFIG = current in props.conf solves it..

0 Karma

Super Champion

Hmm, I don't see anything Oracle-specific in your sample events.

If the ERROR stats message is repeating, then look for a busted saved search. (I think savedsearches.log would have more info for you, if your running 4.1)

The TcpInputProc messages are faily normally to, if you have a forwarder sending messages (or are receiving plain TCP on a TCP input) to your splunk indexer.

BTW, If you are trying to load data from oracle log files, then let me know. I have a number of oracle sourcetypes defined so I may be able to provide some sample configs.

0 Karma

Contributor

I'm not sure how splunk handles Oracle DB logs and I'm not sure if splunk natively understands Oracle DB logs. You may need to do some type of work on props.conf and transforms.conf in order to allow splunk to recognize the log data and parse it accordingly.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!