Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect Indexing Oracle Table issue

dlovett
Path Finder
‎05-28-2014 06:13 PM

Weird behavior. I have a DB Input that tails a simple ORACLE table. Rising column is ROWID. Input runs via cron every 10 minutes. Data is being indexed; however, there are gaps in the index where no data exists--2 to 3 hours missing a couple of days a week. I can run the query in the search app with no problems--I get data for the timeframe in question.

The table is only about 300MB in size. Daily volume is roughly 24MB. I'm guessing the DB input will do a full table scan the first time it runs? Could this be interfering with indexing?

Anybody experience this?

Tags (1)
0 Karma
Reply

dlovett
Path Finder
‎06-13-2014 09:53 AM

so i was unable to recreate this on 3 other search heads running the same version of splunk and DB Connect. thus the issue must be something about the config settings on the server in question. In other words, user error...

In comparing the config files between the four search heads, only ONE is setup on the deployment server and its the one that is not working correctly.

The only difference I could see is the deployment server is pushing out an application that has an indexes.conf with THIS index in it. None of the other search heads that are indexing correctly have this indexes.conf file.

I removed the indexes.conf from the app folder on the deployment server and redeployed the application and voila--problem solved!

0 Karma
Reply

pmdba
Builder
‎05-29-2014 04:37 PM

ROWID is unique, but not necessarily incremental - it includes an object number, data block number, position of the row in the block, and the datafile number. Depending on where (which file, block, and row) a new row is added by Oracle, the rowid may be "less" than what Splunk is looking for. This would explain the gaps in your monitoring. To guarantee that data is not missed, you need to use a truly incremental column like a sequence-generated id or a timestamp.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...