- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: writing MS SQL data with Splunk Enterprise 7.1...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
writing MS SQL data with Splunk Enterprise 7.1.1 and DB Connect 3.1.3. in main Index,Collect Data form MS SQL 2016 with Splunk 7.1.1 and DB Connect 3.1.3
At the beginning some informations about the Enviroment.
- Single Instance of Splunk Enterprise in Version 7.1.1
- MS SQL 2016 Database
- JRE Version 8 (1.8.0_181)
- JDBC Driver Version 6.4
- DB Connect App 3.1.3.
The connection to the datebase works. So it is possible to execute the SQL query and preview the data. But the data is not written to the index.
In the splunk_app_db-connect_server log file we found the following issue:
2018-08-28 11:41:23.122 +0200 [QuartzScheduler_Worker-17] ERROR c.s.d.s.task.listeners.RecordWriterMetricsListener - action=unable_to_write_batch
java.io.IOException: HTTP Error 400: Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
So here is what we have tried so far:
- changing DB Connect inputs to use current Index time
- removing Rising Column from DB Connect Input
- changing the port of the HEC in the global settings
- we filled the "Host" field on input configuration
- on HEC we disabled Indexer acknowledgement
With DB Connect 2.4.1 the writing to the main index works.... but there is an other problem by using the rising column functionally.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes this your next step then http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/TroubleshootHTTPEventCollector
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help. We installed Splunk on a different machine with Windows 10 instead of Windows Server 2016 now. Everything works fine now somehow...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you've properly diagnosed that it's unable to write into HEC -- can you write any input from db connect? The setup should have created an HEC input, is it there and enabled in Splunk inputs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the moment we aren't able to write any input from db connect to any index. The db-connect-http-input is visible and enabled in Inputs > HEC.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
