Solved: oracle data input causing errors log in splunkd?

apro · ‎06-24-2010

Hi,

Am trying to receive oracle logs to splunk server using dbipoll script.

However,splunkd.log has the following errors since the script is scheduled to run every 60 secs,although there are still some events coming in from oracle server:

06-24-2010 14:15:56.011 INFO TcpInputProc - Connection in raw mode from IP=1.2.3.4
06-24-2010 14:15:58.980 INFO TcpInputProc - Hostname=1.2.3.4 closed connection
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
06-24-2010 14:16:25.517 ERROR stats - The argument '>' is invalid.
06-24-2010 14:16:55.836 INFO TcpInputProc - Connection in raw mode from IP=1.2.3.4
06-24-2010 14:16:58.944 INFO TcpInputProc - Hostname=1.2.3.4 closed connection

I suspect the error lies in the script but not sure about it,as can't seem to find anything wrong with it yet. Or could it be some other issues?

apro · ‎06-25-2010

Thanks.
The line:
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
is referring to one of my scheduled search...

That aside,Im still receiving oracle logs at tcp port using the script,on and off. However I noticed during certain period of time in a day there are 0 events recorded in Splunk. This period usually from 12pm noon till 12 midnight..

I've checked the actual oracle logs and there are events during this time.Oracle doesn't seem to have any errors as well. Any idea?

View solution in original post

apro · ‎06-25-2010

Thanks.
The line:
06-24-2010 14:16:01.057 ERROR stats - The argument '>' is invalid.
is referring to one of my scheduled search...

That aside,Im still receiving oracle logs at tcp port using the script,on and off. However I noticed during certain period of time in a day there are 0 events recorded in Splunk. This period usually from 12pm noon till 12 midnight..

I've checked the actual oracle logs and there are events during this time.Oracle doesn't seem to have any errors as well. Any idea?

apro · ‎07-12-2010

adding DATETIME_CONFIG = current in props.conf solves it..

Lowell · ‎06-24-2010

Hmm, I don't see anything Oracle-specific in your sample events.

If the ERROR stats message is repeating, then look for a busted saved search. (I think savedsearches.log would have more info for you, if your running 4.1)

The TcpInputProc messages are faily normally to, if you have a forwarder sending messages (or are receiving plain TCP on a TCP input) to your splunk indexer.

BTW, If you are trying to load data from oracle log files, then let me know. I have a number of oracle sourcetypes defined so I may be able to provide some sample configs.

balbano · ‎06-24-2010

I'm not sure how splunk handles Oracle DB logs and I'm not sure if splunk natively understands Oracle DB logs. You may need to do some type of work on props.conf and transforms.conf in order to allow splunk to recognize the log data and parse it accordingly.

oracle data input causing errors log in splunkd?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation