Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue with db connect indexing

vaibhavagg2006
Communicator
‎11-14-2013 10:02 PM

Hi,
I am trying to index data from sql server. I am able to fetch the data using dbquery but not able to add data to index, I have used following configurations in inputs.conf. I have tried to add data to default index as well as custom index. But no success. Please provide your inputs
Sample data

2   abc rcl


[script://$SPLUNK_HOME\etc\apps\dbx\bin\jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME\var\spool\dbmon\*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-dump://test_ext_db/sql]
index = vaibhav
output.format = kv
output.timestamp = 0
query = select * from table_splunk
sourcetype = db
table = table_splunk
host = chdsez203099d
interval = auto

[dbmon-tail://test_ext_db/dbinput]
output.format = kv
output.timestamp = 0
query = SELECT * FROM table_splunk {{WHERE $rising_column$ > ?}} \r\n\r\n
table = table_splunk
tail.rising.column = id
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎11-20-2013 06:53 AM

Latest db connect is always a good idea (1.1.1). Also check dbx.log.

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-20-2013 09:46 AM

Hi,
I updated the dbx yesterday. Still facing the issue.
Files are getting created in the spool\dbmon but not getting indexed and deleted. No suspicious log in dbx log.
splunkd sometimes contains errors which says db lookups not found..but i dont think it matters

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-20-2013 02:09 AM

the files are still there in spool\dbmon.. it means batch input is not working. Splunkd also doesnot contains any related errirs

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-18-2013 02:50 AM

is there any way i can check whether there is any error when splunk is trying to index this data?
It has created a file kv_1384758521635957316.dbmonevt in var\spool\dbmon and has following content. but it is not seen in the index.
SPLUNK host=chdsez203099d source="dbmon-dump://ext_db/db_dump" sourcetype="dbmon:kv" index=default
2013-11-18T12:38:41.609 id=1 name=xxx dept=cl
2013-11-18T12:38:41.633 id=2 name=abc dept=rcl
2013-11-18T12:38:41.633 id=3 name=yyy dept=pl

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-17-2013 10:07 PM

checked the checkpoint. itis fine..and dump is also not working.
Splunk version is 5.0.1 and dbx version is 1.0.8

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎11-17-2013 01:01 PM

I wonder if your testing has caused the checkpoint to think it's already updated...

http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Troubleshoot#Input_not_updating

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

vaibhavagg2006
Communicator
‎11-17-2013 09:36 AM

no errors surprisingly and resultcount in logs is also coming correct.continue monitoring is also true...

0 Karma
Reply

ziegfried
Influencer
‎11-16-2013 12:43 PM

Any errors in $SPLUNK_HOME/var/log/splunk/dbx.log?

0 Karma
Reply

vaibhavagg2006
Communicator
‎11-16-2013 10:19 AM

any help??

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...