I am using a tail db command to pull events from a Oracle database every hour. I was able to pull in all of the data the first time it ran but I haven't received any new events. When I looked at the log file I'm receiving the following error message:
2013-06-21 10:48:53.060 dbx5648:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 10:49:31.963 dbx9326:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 10:49:33.123 dbx4360:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:21:22.312 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://DB_Audit/DB_Audit_Tail]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://DB_Audit/DB_Audit_Tail
2013-06-21 11:23:16.671 dbx7573:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:23:18.714 dbx179:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:30:16.066 dbx5726:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:30:17.237 dbx373:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
Any idea what this error is?
Thanks,
You may need an output.timestamp.parse.format
This is from an old post: http://splunk-base.splunk.com/answers/71485/splunk-db-connect-timestamp-not-working
"The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once the timestamp was converted to text and both format filters were set to match the output, everything seemed to start working correctly."
Output.timestamp.parse.format is explained here: http://docs.splunk.com/Documentation/DBX/1.0.11/DeployDBX/inputsspec
You also need to watch out for conflicting input.conf files.
I'm having the same problem as "Knewter". The difference is that I'm trying to read data from MS-SQL. We also tried without the SQL-query, no output-timestamp and different output.formats, all with the same result. The output of "splunk cmd btool inputs list dbmon-tail shows that all settings in the stanza's are read by Splunk correctly.
Splunk-version=5.0.3
DB-connect-version=1.0.10
Environment=Server 2008 R2 Enterprise
Error-message in "dbx.log"
2013-07-09 10:46:12.200 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://xxxxxxx/xxxxxxx]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://xxxxxxx/xxxxxxx
SPLUNK_HOME\etc\apps\dbx\local\inputs.conf
[script://$SPLUNK_HOME\etc\apps\dbx\bin\jbridge_server.py]
disabled = 0
[batch://$SPLUNK_HOME\var\spool\dbmon*.dbmonevt]
crcSalt =
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
[dbmon-tail://xxxxxxx/xxxxxxx]
host = xxxxxxx
index = owa
interval = 300
output.format = kv
output.timestamp = 1
output.timestamp.column = logtime
query = select dbo.xxxxxxx(ClientIP), ClientUserName,logtime,uri from dbo.xxxxxxxxxxxx where ClientUserName
like '%LDAP%' and UrlDestHost LIKE '%mxs%'
sourcetype = OWA
tail.rising.column = logtime
table = dbo.xxxxxxxxxxxx
output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSS
The error suggests that there is no output.format
in your database input stanza in inputs.conf. This setting is mandatory - you could try to update the input using the UI once and see if that resolves the problem.
I ran the btool command earlier and it shows the output.format in there.
/opt/splunk/etc/apps/dbx/local/inputs.conf output.format = kv
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp = 1
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.column = created_on
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.format = MM/dd/yyyy HH:mm:ss.SSS
It's like Splunk doesn't see those lines. The strange thing is it was working a few days ago.
What result do you get when you run the following command (assuming the splunk binary is in $PATH):
splunk cmd btool inputs list dbmon-tail://DB_Audit/DB_Audit_Tail --debug
I've restarted splunk but I'm still receiving the errors.
That shouldn't be necessary. You can try to restart Splunk in order to force DB Connect to reload the config.
Strange when I look at the inputs.conf file it's there. Should I just re-save the config file ?