All Apps and Add-ons

writing MS SQL data with Splunk Enterprise 7.1.1 and DB Connect 3.1.3. in main Index,Collect Data form MS SQL 2016 with Splunk 7.1.1 and DB Connect 3.1.3

Explorer

At the beginning some informations about the Enviroment.
- Single Instance of Splunk Enterprise in Version 7.1.1
- MS SQL 2016 Database
- JRE Version 8 (1.8.0_181)
- JDBC Driver Version 6.4
- DB Connect App 3.1.3.

The connection to the datebase works. So it is possible to execute the SQL query and preview the data. But the data is not written to the index.
In the splunkappdb-connect_server log file we found the following issue:

2018-08-28 11:41:23.122 +0200 [QuartzSchedulerWorker-17] ERROR c.s.d.s.task.listeners.RecordWriterMetricsListener - action=unabletowritebatch
java.io.IOException: HTTP Error 400: Bad Request
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

So here is what we have tried so far:
- changing DB Connect inputs to use current Index time
- removing Rising Column from DB Connect Input
- changing the port of the HEC in the global settings
- we filled the "Host" field on input configuration
- on HEC we disabled Indexer acknowledgement

With DB Connect 2.4.1 the writing to the main index works.... but there is an other problem by using the rising column functionally.

0 Karma

Communicator

Explorer

Thanks for your help. We installed Splunk on a different machine with Windows 10 instead of Windows Server 2016 now. Everything works fine now somehow...

0 Karma

Communicator

I think you've properly diagnosed that it's unable to write into HEC -- can you write any input from db connect? The setup should have created an HEC input, is it there and enabled in Splunk inputs?

Explorer

At the moment we aren't able to write any input from db connect to any index. The db-connect-http-input is visible and enabled in Inputs > HEC.

0 Karma