All Apps and Add-ons

Splunk DB Connect (DBX) tail command

falkyre
Explorer

I am trying to use the tail command but nothing seems to get into my index. I'm not doing a specific query, I just want to pull in the data to be indexed every 5 mins rather than doing a specific lookup or query. (still learning all the ins and outs of splunk). Basically I want to be able to correlate anything that's in the splunk index with values in my database (so if someone clicks on a hostname for instance, it pulls data from the database). My thoughts is using the database tail would put the data into the index and would automatically give me what I am looking for with much extra work. Am I off on my thinking?

Thanks,

Sean

0 Karma

Dan
Splunk Employee
Splunk Employee

Yes, indexing is one of the things DB Connect was designed for. It should pull in and index the data from your database.

Can you post your database.conf and inputs.conf to help diagnose why its not working?

Dan
Splunk Employee
Splunk Employee

Thats right. Lets us know if you see the data now in the main index. I'll see about clarifying what index means in the manager UI.

0 Karma

falkyre
Explorer

Dan, silly me, I figured that the SERIAL index was a database index and not a Splunk index. If I leave that empty will the data show up in the main index?

0 Karma

Dan
Splunk Employee
Splunk Employee

I'm looking at the index=SERIAL setting in your tail stanza. Do you have this set up as a Splunk index? Do you have permissions set up to search it by default?

0 Karma

falkyre
Explorer

Yes, that works perfectly fine. I can run my queries that I normally run against that database within splunk. I'm just not getting any data indexed it looks like. Like I said, I watch the logs and I can see the tail getting data (except it seems like it's stalled lately). So I'm a little stumped as to why I can search for the database data or why it doesn't show up when I search against a host name.

0 Karma

Dan
Splunk Employee
Splunk Employee

Can you successfully use the dbquery command to pull data from NCreporter?

0 Karma

falkyre
Explorer

So I was watching the dbx.log and I do see that the tail gets fired off, but I can't find any data relating to the ncreporter sourcetype.

0 Karma

falkyre
Explorer

inputs.conf

[script://$SPLUNK_HOME/etc/apps/dbx/bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://NCreporter/REPORTER_STATUS]
host = NODE
index = SERIAL
output.format = mkv
output.timestamp = 0
sourcetype = ncreporter
table = REPORTER_STATUS
tail.rising.column = SERIAL
interval = auto
disabled = 0
0 Karma

falkyre
Explorer

As requested (username and passwords removed):

database.conf

[NetCool]
database = reporter
host = thumper
password = ***removed***
port = 3306
readonly = 1
type = mysql
username = ***removed***

[NCreporter]
database = orcl.oracle.com
host = thumper
password = ***removed***
port = 1521
readonly = 1
type = oracle
username = ***removed***
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...