All Apps and Add-ons

writing MS SQL data with Splunk Enterprise 7.1.1 and DB Connect 3.1.3. in main Index,Collect Data form MS SQL 2016 with Splunk 7.1.1 and DB Connect 3.1.3

Tobias11194
Explorer

At the beginning some informations about the Enviroment.
- Single Instance of Splunk Enterprise in Version 7.1.1
- MS SQL 2016 Database
- JRE Version 8 (1.8.0_181)
- JDBC Driver Version 6.4
- DB Connect App 3.1.3.

The connection to the datebase works. So it is possible to execute the SQL query and preview the data. But the data is not written to the index.
In the splunk_app_db-connect_server log file we found the following issue:

2018-08-28 11:41:23.122 +0200 [QuartzScheduler_Worker-17] ERROR c.s.d.s.task.listeners.RecordWriterMetricsListener - action=unable_to_write_batch
java.io.IOException: HTTP Error 400: Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

So here is what we have tried so far:
- changing DB Connect inputs to use current Index time
- removing Rising Column from DB Connect Input
- changing the port of the HEC in the global settings
- we filled the "Host" field on input configuration
- on HEC we disabled Indexer acknowledgement

With DB Connect 2.4.1 the writing to the main index works.... but there is an other problem by using the rising column functionally.

0 Karma

jcoates
Communicator

Tobias11194
Explorer

Thanks for your help. We installed Splunk on a different machine with Windows 10 instead of Windows Server 2016 now. Everything works fine now somehow...

0 Karma

jcoates
Communicator

I think you've properly diagnosed that it's unable to write into HEC -- can you write any input from db connect? The setup should have created an HEC input, is it there and enabled in Splunk inputs?

Tobias11194
Explorer

At the moment we aren't able to write any input from db connect to any index. The db-connect-http-input is visible and enabled in Inputs > HEC.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...