I am trying to use the tail command but nothing seems to get into my index. I'm not doing a specific query, I just want to pull in the data to be indexed every 5 mins rather than doing a specific lookup or query. (still learning all the ins and outs of splunk). Basically I want to be able to correlate anything that's in the splunk index with values in my database (so if someone clicks on a hostname for instance, it pulls data from the database). My thoughts is using the database tail would put the data into the index and would automatically give me what I am looking for with much extra work. Am I off on my thinking?
Yes, indexing is one of the things DB Connect was designed for. It should pull in and index the data from your database.
Can you post your database.conf and inputs.conf to help diagnose why its not working?
As requested (username and passwords removed):
[NetCool] database = reporter host = thumper password = ***removed*** port = 3306 readonly = 1 type = mysql username = ***removed*** [NCreporter] database = orcl.oracle.com host = thumper password = ***removed*** port = 1521 readonly = 1 type = oracle username = ***removed***
[script://$SPLUNK_HOME/etc/apps/dbx/bin/jbridge_server.py] disabled = 0 [batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt] crcSalt = <SOURCE> disabled = 0 move_policy = sinkhole sourcetype = dbmon:spool [dbmon-tail://NCreporter/REPORTER_STATUS] host = NODE index = SERIAL output.format = mkv output.timestamp = 0 sourcetype = ncreporter table = REPORTER_STATUS tail.rising.column = SERIAL interval = auto disabled = 0
Yes, that works perfectly fine. I can run my queries that I normally run against that database within splunk. I'm just not getting any data indexed it looks like. Like I said, I watch the logs and I can see the tail getting data (except it seems like it's stalled lately). So I'm a little stumped as to why I can search for the database data or why it doesn't show up when I search against a host name.
I'm looking at the index=SERIAL setting in your tail stanza. Do you have this set up as a Splunk index? Do you have permissions set up to search it by default?
Dan, silly me, I figured that the SERIAL index was a database index and not a Splunk index. If I leave that empty will the data show up in the main index?