At the beginning some informations about the Enviroment.
- Single Instance of Splunk Enterprise in Version 7.1.1
- MS SQL 2016 Database
- JRE Version 8 (1.8.0_181)
- JDBC Driver Version 6.4
- DB Connect App 3.1.3.
The connection to the datebase works. So it is possible to execute the SQL query and preview the data. But the data is not written to the index.
In the splunk_app_db-connect_server log file we found the following issue:
2018-08-28 11:41:23.122 +0200 [QuartzScheduler_Worker-17] ERROR c.s.d.s.task.listeners.RecordWriterMetricsListener - action=unable_to_write_batch
java.io.IOException: HTTP Error 400: Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
So here is what we have tried so far:
- changing DB Connect inputs to use current Index time
- removing Rising Column from DB Connect Input
- changing the port of the HEC in the global settings
- we filled the "Host" field on input configuration
- on HEC we disabled Indexer acknowledgement
With DB Connect 2.4.1 the writing to the main index works.... but there is an other problem by using the rising column functionally.
That makes this your next step then http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/TroubleshootHTTPEventCollector
Thanks for your help. We installed Splunk on a different machine with Windows 10 instead of Windows Server 2016 now. Everything works fine now somehow...
I think you've properly diagnosed that it's unable to write into HEC -- can you write any input from db connect? The setup should have created an HEC input, is it there and enabled in Splunk inputs?
At the moment we aren't able to write any input from db connect to any index. The db-connect-http-input is visible and enabled in Inputs > HEC.