Weird behavior. I have a DB Input that tails a simple ORACLE table. Rising column is ROWID. Input runs via cron every 10 minutes. Data is being indexed; however, there are gaps in the index where no data exists--2 to 3 hours missing a couple of days a week. I can run the query in the search app with no problems--I get data for the timeframe in question.
The table is only about 300MB in size. Daily volume is roughly 24MB. I'm guessing the DB input will do a full table scan the first time it runs? Could this be interfering with indexing?
so i was unable to recreate this on 3 other search heads running the same version of splunk and DB Connect. thus the issue must be something about the config settings on the server in question. In other words, user error...
In comparing the config files between the four search heads, only ONE is setup on the deployment server and its the one that is not working correctly.
The only difference I could see is the deployment server is pushing out an application that has an indexes.conf with THIS index in it. None of the other search heads that are indexing correctly have this indexes.conf file.
I removed the indexes.conf from the app folder on the deployment server and redeployed the application and voila--problem solved!
ROWID is unique, but not necessarily incremental - it includes an object number, data block number, position of the row in the block, and the datafile number. Depending on where (which file, block, and row) a new row is added by Oracle, the rowid may be "less" than what Splunk is looking for. This would explain the gaps in your monitoring. To guarantee that data is not missed, you need to use a truly incremental column like a sequence-generated id or a timestamp.