Splunk Enterprise

DB Connect 3.1.4 - Unable to write records - Error in handling indexed fields

aagro
Path Finder

Hi All,
I have a problem about splunk DB Connect App (Splunk Enterprise 7.2.3 - DB Connect 3.1.4) with my MySQL instance.
The MYSQL query return events and it's all right, rising column is ok, no error, but after I save the input, the events are not indexed:

2019-01-11 10:12:13.855 +0100 [QuartzScheduler_Worker-8] ERROR org.easybatch.core.job.BatchJob - Unable to write records
java.io.IOException: HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}, trace: HttpResponseProxy{HTTP/1.1 400 Bad Request [Date: Fri, 11 Jan 2019 09:12:13 GMT, Content-Type: application/json; charset=UTF-8, X-Content-Type-Options: nosniff, Content-Length: 78, Vary: Authorization, Connection: Keep-Alive, X-Frame-Options: SAMEORIGIN, Server: Splunkd] ResponseEntityProxy{[Content-Type: application/json; charset=UTF-8,Content-Length: 78,Chunked: false]}}
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:132)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:96)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2019-01-11 10:12:13.855 +0100 [QuartzScheduler_Worker-8] INFO org.easybatch.core.job.BatchJob - Job 'test_bcc013' finished with status: FAILED

The column of table are very simple and small like a integer id or char name.

Someone can help me please?

Tags (1)
0 Karma

thomasroulet
Path Finder

Http Event Collector expects to receive dates in format:

timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:

-Duser.language=en

Save, java server restarts.

,

skramp
SplunkTrust
SplunkTrust

This solved my problem, in my case it was the correct solution. Thanks!

0 Karma

chlima
Explorer

Hey guys!

What about Windows environment?

Wich settings must we use?

Thanks!

0 Karma

aagro
Path Finder

Did you encountered problem on Windows?

By default I advise you to install the last version of Splunk Enteprise and DB Connect.

Let us know if you're having problems.

Regards,
Antonio

0 Karma

chlima
Explorer

Hi!

Yes! I got errors like this (Unable to write records) on Windows and versions 3.1.4 or 3.1.3

I solved this by downgrading to 3.1.1

I saw in the post below and confirmed through internal logs that time field from HEC payload has a comma and not a dot like in documentation. Maybe it be a bug ?

https://answers.splunk.com/answers/640570/why-are-dbconnect-3-inputs-unable-to-write-records.html

0 Karma

apascualcrespo
New Member

As I mention before, I thought that it was related with the new version, not sure if only DB Connect (3.1.4) or also because of Splunk Enterprise (7.2.3).
I solved it downgrading Splunk Enterprise to 7.2.1 and uninstalling DB Connect, then I installed 3.1.2 version and made new connections and identities in DB Connect. Don't copy them from 3.1.4, you have make new ones from beginning, otherwise it will not work.

I hope it helps you.

Álvaro.

0 Karma

aagro
Path Finder

Thank you Alvaro!

0 Karma

apascualcrespo
New Member

Did you solve it?

0 Karma

aagro
Path Finder

Yes I solved it but I did not try with downgrade.
I keep your suggestion as another way to solve the problem.

Thanks,
Antonio

0 Karma

apascualcrespo
New Member

Did you update the DB Connect to 3.1.4 version?
I had to reinstall it and stopped working after it...

0 Karma

aagro
Path Finder

No, DB Connect version 3.1.4 was first installation, but I keep mind yor suggestion.

Thanks,
Antonio

0 Karma

aagro
Path Finder

I resolve the problem tuning the env variable of OS (my LANG/LC_ALL was in IT) :

LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8

After server reboot, this one has resolved my problem.

Splunk Enterprise: 7.2.3
DB Connect: 3.1.4
OS Centos: 7.x
DB: MySQL 5.x

Regards,
Antonio

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...