Splunk Search

DB Connect: I don't see any data after adding my database input

abassili
Explorer

I have defined a database input (dump type) with a simple SQL query and a key-value output format. \

The "dbx.log" file shows that the query is running without any problems:

2014-09-19 11:06:08.426 dbx1788:INFO:ExecutionContext - Execution finished in duration=23 ms
2014-09-19 11:06:08.427 monsch2:INFO:Scheduler - Execution of input=[dbmon-dump://DB-SERVER/INPUT_SAMPLE_1] finished in duration=22 ms with resultCount=31 success=true continueMonitoring=true

The Splunk's \spool\dbmon directory has the the right csv_*.dbmonevt files.

Yet I don't see any data when I try to do the search. Even the source type is not there.

Am I missing a step in order for this to work?

Tags (1)
0 Karma

abassili
Explorer

Nothing shows up ...

Even when I try source=dbmon-tail://...., there is nothing there.

Splunk does not even recognize this source or sourcetype.

0 Karma

pradeepkumarg
Influencer

the index that you specified in your database inputs, did you create that index in indexes.conf?

0 Karma

abassili
Explorer

Where can I find that file index.conf?

I have deleted the old database input and created a new one (index = input1).

Here's the the inputs.conf (I have not changed anything there):

Copyright (C) 2005-2014 Splunk Inc. All Rights Reserved.

JBridge Server script

[script://./bin/jbridge_server.py]
index = input1
sourcetype = dbx_jbridge
interval = 0
disabled = false
passAuth = splunk-system-user
[script://.\bin\jbridge_server.py]
index = input1
sourcetype = dbx_jbridge
interval = 0
disabled = false
passAuth = splunk-system-user

Are there any files that I need to add that index to?

This is still not working. I got nothing with the search inddex = "input1"

Thanks a lot for your help. I think I'm getting closer.

0 Karma

pradeepkumarg
Influencer

If you want to create a index as "input1" you have to create it in indexes.conf. More details here
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Indexesconf

0 Karma

abassili
Explorer

I am using the deafult index (Splunk Index: index). I suppose that is already defined.

0 Karma

pradeepkumarg
Influencer

I don't think there is any index which is called as 'index', you can try 'main' index or create your own index and then configure dbinputs for that index .

abassili
Explorer

Thanks, I changed the index to main but sill no luck. Do I need to configure the index I create? Where should I do that? I see the "inputs.conf". Is that the one?

0 Karma

pradeepkumarg
Influencer

After you change the index to main, you have to make sure new events are returned for your query. I would suggest creating a new database inputs rather than modifying the existing one.

0 Karma

pradeepkumarg
Influencer

Did you try just with the source filter and see?

source will be your dbmon input like below

source=dbmon-tail://*

0 Karma

dimoobraznii
Path Finder

Sometime you can get problems with license restrictions or can define index by default, if so, you could check main index.
In addition, check Activity->jobs.

0 Karma

abassili
Explorer

Thanks ... I don't see any license alerts or violations and the volume that I have used today is way below the allowed daily volume. I checked "Activity->jobs", but I could not see any jobs there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...