Archive

Splunk DB Connect tail doesn't work

Path Finder

Hello,

I just install DB connect in tail mode on MySQL DB and the daemon tail never works.

Using Splunk UI I can successfully connect and query the MySQL DB.

dbx.log extract :

dbx6092:INFO:BridgeSession - Executing Bridge command: BridgeExecutionInfo{className=com.splunk.dbx.command.DatabaseQueryCommand}
dbx6092:INFO:DatabaseQueryCommand - action=executing SQL query="SELECT * FROM `<mytable>` WHERE `action` LIKE '%action%' " on database=<mydb>
dbx6092:WARN:DatabaseQueryCommand - SearchResultsInfo file null doesn't exist

My query return data as expected.

Below the Java Bridge Server Status (data get from UI DB apps -> setting -> "Java Bridge Server Status")
with my inputs.conf and database.conf.

If someone have any idea ... some additional test, file to see or anything else ?

Thanks,

Status for Splunkd{host='xxxx', sessionKey='xxxx'} (com.splunk.rest.Splunkd)
Splunkd REST connection with sessionKey=xxxxxx (VALID) requests=811

Status for Pooled database factory (com.splunk.dbx.sql.factory.PooledConnectionFactory)
Loaded databases:
    Database{name='<mydbname>', databaseType=MySQL{}, host='xx.xx.xx.xx', port=3306, username='xxxx', database='<mysqldb>'}
    Pool: GenericKeyedObjectPool{active=0, idle=1, maxActive=15, maxIdle=5}

Status for DatabaseMonitoringManager (com.splunk.dbx.monitor.DatabaseMonitoringManager)
Inputs:
    [dbmon-tail://<mydbname>/<mydevice>]: valid=true disabled=false scheduleType=AUTO interval=auto running=false

Status for JavaBridgeServer (com.splunk.bridge.JavaBridgeServer)
    listening on 127.0.0.1:17865 running=true executedSessions=41

Status for ProcessWatcher (com.splunk.bridge.JavaBridgeServer$ProcessWatcher)
    Watching pid file: /opt/splunk/var/run/splunk/dbx/dbx.lock with pid=22420 failures=0

cat inputs.conf

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://<mydbname>/<mydevice>]
host = <myhost>
index = default
output.format = kv
output.timestamp = 1
output.timestamp.column = 1time
query = SELECT * FROM `1logs` WHERE `1action` LIKE '%action%'
sourcetype = db_mysql
tail.rising.column = 1time
interval = 60
table = mytable

cat database.conf
[mydbname]
database = mysqldb
host = xx.xx.xx.xx
isolation_level = DATABASE_SETTING
password = enc:xxxxxxxxxxx
port = 3306
readonly = 1
type = mysql
username = xxxxx

0 Karma
1 Solution

Motivator

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}} 

View solution in original post

Path Finder

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

0 Karma

Motivator

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}} 

View solution in original post

Path Finder

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!