- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: DB Connect Tail Command not updating
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DB Connect Tail Command not updating
I am using a tail db command to pull events from a Oracle database every hour. I was able to pull in all of the data the first time it ran but I haven't received any new events. When I looked at the log file I'm receiving the following error message:
2013-06-21 10:48:53.060 dbx5648:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 10:49:31.963 dbx9326:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 10:49:33.123 dbx4360:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:21:22.312 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://DB_Audit/DB_Audit_Tail]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://DB_Audit/DB_Audit_Tail
2013-06-21 11:23:16.671 dbx7573:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:23:18.714 dbx179:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:30:16.066 dbx5726:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:30:17.237 dbx373:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
Any idea what this error is?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may need an output.timestamp.parse.format
This is from an old post: http://splunk-base.splunk.com/answers/71485/splunk-db-connect-timestamp-not-working
"The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once the timestamp was converted to text and both format filters were set to match the output, everything seemed to start working correctly."
Output.timestamp.parse.format is explained here: http://docs.splunk.com/Documentation/DBX/1.0.11/DeployDBX/inputsspec
You also need to watch out for conflicting input.conf files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same problem as "Knewter". The difference is that I'm trying to read data from MS-SQL. We also tried without the SQL-query, no output-timestamp and different output.formats, all with the same result. The output of "splunk cmd btool inputs list dbmon-tail shows that all settings in the stanza's are read by Splunk correctly.
Splunk-version=5.0.3
DB-connect-version=1.0.10
Environment=Server 2008 R2 Enterprise
Error-message in "dbx.log"
2013-07-09 10:46:12.200 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://xxxxxxx/xxxxxxx]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://xxxxxxx/xxxxxxx
SPLUNK_HOME\etc\apps\dbx\local\inputs.conf
[script://$SPLUNK_HOME\etc\apps\dbx\bin\jbridge_server.py]
disabled = 0
[batch://$SPLUNK_HOME\var\spool\dbmon*.dbmonevt]
crcSalt =
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
[dbmon-tail://xxxxxxx/xxxxxxx]
host = xxxxxxx
index = owa
interval = 300
output.format = kv
output.timestamp = 1
output.timestamp.column = logtime
query = select dbo.xxxxxxx(ClientIP), ClientUserName,logtime,uri from dbo.xxxxxxxxxxxx where ClientUserName
like '%LDAP%' and UrlDestHost LIKE '%mxs%'
sourcetype = OWA
tail.rising.column = logtime
table = dbo.xxxxxxxxxxxx
output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error suggests that there is no output.format in your database input stanza in inputs.conf. This setting is mandatory - you could try to update the input using the UI once and see if that resolves the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran the btool command earlier and it shows the output.format in there.
/opt/splunk/etc/apps/dbx/local/inputs.conf output.format = kv
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp = 1
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.column = created_on
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.format = MM/dd/yyyy HH:mm:ss.SSS
It's like Splunk doesn't see those lines. The strange thing is it was working a few days ago.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What result do you get when you run the following command (assuming the splunk binary is in $PATH):
splunk cmd btool inputs list dbmon-tail://DB_Audit/DB_Audit_Tail --debug
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've restarted splunk but I'm still receiving the errors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That shouldn't be necessary. You can try to restart Splunk in order to force DB Connect to reload the config.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange when I look at the inputs.conf file it's there. Should I just re-save the config file ?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
