Archive
Highlighted

Splunk DB Connect (DBX) tail command

Explorer

I am trying to use the tail command but nothing seems to get into my index. I'm not doing a specific query, I just want to pull in the data to be indexed every 5 mins rather than doing a specific lookup or query. (still learning all the ins and outs of splunk). Basically I want to be able to correlate anything that's in the splunk index with values in my database (so if someone clicks on a hostname for instance, it pulls data from the database). My thoughts is using the database tail would put the data into the index and would automatically give me what I am looking for with much extra work. Am I off on my thinking?

Thanks,

Sean

0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Builder

Yes, indexing is one of the things DB Connect was designed for. It should pull in and index the data from your database.

Can you post your database.conf and inputs.conf to help diagnose why its not working?

Highlighted

Re: Splunk DB Connect (DBX) tail command

Explorer

As requested (username and passwords removed):

database.conf

[NetCool]
database = reporter
host = thumper
password = ***removed***
port = 3306
readonly = 1
type = mysql
username = ***removed***

[NCreporter]
database = orcl.oracle.com
host = thumper
password = ***removed***
port = 1521
readonly = 1
type = oracle
username = ***removed***
0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Explorer

inputs.conf

[script://$SPLUNK_HOME/etc/apps/dbx/bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://NCreporter/REPORTER_STATUS]
host = NODE
index = SERIAL
output.format = mkv
output.timestamp = 0
sourcetype = ncreporter
table = REPORTER_STATUS
tail.rising.column = SERIAL
interval = auto
disabled = 0
0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Explorer

So I was watching the dbx.log and I do see that the tail gets fired off, but I can't find any data relating to the ncreporter sourcetype.

0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Builder

Can you successfully use the dbquery command to pull data from NCreporter?

0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Explorer

Yes, that works perfectly fine. I can run my queries that I normally run against that database within splunk. I'm just not getting any data indexed it looks like. Like I said, I watch the logs and I can see the tail getting data (except it seems like it's stalled lately). So I'm a little stumped as to why I can search for the database data or why it doesn't show up when I search against a host name.

0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Builder

I'm looking at the index=SERIAL setting in your tail stanza. Do you have this set up as a Splunk index? Do you have permissions set up to search it by default?

0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Explorer

Dan, silly me, I figured that the SERIAL index was a database index and not a Splunk index. If I leave that empty will the data show up in the main index?

0 Karma
Highlighted

Re: Splunk DB Connect (DBX) tail command

Builder

Thats right. Lets us know if you see the data now in the main index. I'll see about clarifying what index means in the manager UI.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.