Archive
Highlighted

DB Connect Tail Command not updating

Engager

I am using a tail db command to pull events from a Oracle database every hour. I was able to pull in all of the data the first time it ran but I haven't received any new events. When I looked at the log file I'm receiving the following error message:

2013-06-21 10:48:53.060 dbx5648:INFO:DatabaseInfoCommand - Fetching tables for database=DBAudit
2013-06-21 10:49:31.963 dbx9326:INFO:DatabaseInfoCommand - Fetching schemas for database=DB
Audit
2013-06-21 10:49:33.123 dbx4360:INFO:DatabaseInfoCommand - Fetching tables for database=DBAudit
2013-06-21 11:21:22.312 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://DB
Audit/DBAuditTail]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://DBAudit/DBAuditTail
2013-06-21 11:23:16.671 dbx7573:INFO:DatabaseInfoCommand - Fetching schemas for database=DB
Audit
2013-06-21 11:23:18.714 dbx179:INFO:DatabaseInfoCommand - Fetching tables for database=DBAudit
2013-06-21 11:30:16.066 dbx5726:INFO:DatabaseInfoCommand - Fetching schemas for database=DB
Audit
2013-06-21 11:30:17.237 dbx373:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit

Any idea what this error is?

Thanks,

Tags (1)
0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Influencer

The error suggests that there is no output.format in your database input stanza in inputs.conf. This setting is mandatory - you could try to update the input using the UI once and see if that resolves the problem.

0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Engager

Strange when I look at the inputs.conf file it's there. Should I just re-save the config file ?

0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Influencer

That shouldn't be necessary. You can try to restart Splunk in order to force DB Connect to reload the config.

0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Engager

I've restarted splunk but I'm still receiving the errors.

0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Influencer

What result do you get when you run the following command (assuming the splunk binary is in $PATH):

splunk cmd btool inputs list dbmon-tail://DB_Audit/DB_Audit_Tail --debug
0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Engager

I ran the btool command earlier and it shows the output.format in there.
/opt/splunk/etc/apps/dbx/local/inputs.conf output.format = kv
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp = 1
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.column = created_on
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.format = MM/dd/yyyy HH:mm:ss.SSS
It's like Splunk doesn't see those lines. The strange thing is it was working a few days ago.

0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Explorer

I'm having the same problem as "Knewter". The difference is that I'm trying to read data from MS-SQL. We also tried without the SQL-query, no output-timestamp and different output.formats, all with the same result. The output of "splunk cmd btool inputs list dbmon-tail shows that all settings in the stanza's are read by Splunk correctly.

Splunk-version=5.0.3

DB-connect-version=1.0.10

Environment=Server 2008 R2 Enterprise

Error-message in "dbx.log"

2013-07-09 10:46:12.200 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://xxxxxxx/xxxxxxx]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://xxxxxxx/xxxxxxx

SPLUNK_HOME\etc\apps\dbx\local\inputs.conf

[script://$SPLUNKHOME\etc\apps\dbx\bin\jbridgeserver.py]

disabled = 0

[batch://$SPLUNK_HOME\var\spool\dbmon*.dbmonevt]

crcSalt =

disabled = 0

move_policy = sinkhole

sourcetype = dbmon:spool

[dbmon-tail://xxxxxxx/xxxxxxx]

host = xxxxxxx

index = owa

interval = 300

output.format = kv

output.timestamp = 1

output.timestamp.column = logtime

query = select dbo.xxxxxxx(ClientIP), ClientUserName,logtime,uri from dbo.xxxxxxxxxxxx where ClientUserName
like '%LDAP%' and UrlDestHost LIKE '%mxs%'

sourcetype = OWA

tail.rising.column = logtime

table = dbo.xxxxxxxxxxxx

output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSS

0 Karma
Highlighted

Re: DB Connect Tail Command not updating

Super Champion

You may need an output.timestamp.parse.format
This is from an old post: http://splunk-base.splunk.com/answers/71485/splunk-db-connect-timestamp-not-working

"The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once the timestamp was converted to text and both format filters were set to match the output, everything seemed to start working correctly."

Output.timestamp.parse.format is explained here: http://docs.splunk.com/Documentation/DBX/1.0.11/DeployDBX/inputsspec

You also need to watch out for conflicting input.conf files.

0 Karma