Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

why db_connect can't output result to MySQL database

xsstest
Communicator
‎03-13-2018 04:57 AM

I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data

search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system

1、save as an alert , add DBX output alert action trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap" at the end of search

When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL

why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,

-1m@m @m */1 * * * *

but still so

Tags (1)
Reply

xsstest
Communicator
‎03-22-2018 08:26 AM

The question still not resolved, and no one knows why?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 05:13 AM

Hi,

I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.

Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:57 AM

hi, @p_gurav

not support running scheduled task.

When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 06:02 AM

Ok. can you share database output you created?

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:47 PM

@p_gurav

[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0

This is what I entered manually,Because I can't copy information from the intranet

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top