Deployment Architecture

DB Connect Indexing Oracle Table issue

Path Finder

Weird behavior. I have a DB Input that tails a simple ORACLE table. Rising column is ROWID. Input runs via cron every 10 minutes. Data is being indexed; however, there are gaps in the index where no data exists--2 to 3 hours missing a couple of days a week. I can run the query in the search app with no problems--I get data for the timeframe in question.

The table is only about 300MB in size. Daily volume is roughly 24MB. I'm guessing the DB input will do a full table scan the first time it runs? Could this be interfering with indexing?

Anybody experience this?

Tags (1)
0 Karma

Path Finder

so i was unable to recreate this on 3 other search heads running the same version of splunk and DB Connect. thus the issue must be something about the config settings on the server in question. In other words, user error...

In comparing the config files between the four search heads, only ONE is setup on the deployment server and its the one that is not working correctly.

The only difference I could see is the deployment server is pushing out an application that has an indexes.conf with THIS index in it. None of the other search heads that are indexing correctly have this indexes.conf file.

I removed the indexes.conf from the app folder on the deployment server and redeployed the application and voila--problem solved!

0 Karma


ROWID is unique, but not necessarily incremental - it includes an object number, data block number, position of the row in the block, and the datafile number. Depending on where (which file, block, and row) a new row is added by Oracle, the rowid may be "less" than what Splunk is looking for. This would explain the gaps in your monitoring. To guarantee that data is not missed, you need to use a truly incremental column like a sequence-generated id or a timestamp.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...