Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

DB Connect Indexing Oracle Table issue

dlovett
Path Finder
‎05-28-2014 06:13 PM

Weird behavior. I have a DB Input that tails a simple ORACLE table. Rising column is ROWID. Input runs via cron every 10 minutes. Data is being indexed; however, there are gaps in the index where no data exists--2 to 3 hours missing a couple of days a week. I can run the query in the search app with no problems--I get data for the timeframe in question.

The table is only about 300MB in size. Daily volume is roughly 24MB. I'm guessing the DB input will do a full table scan the first time it runs? Could this be interfering with indexing?

Anybody experience this?

Tags (1)
0 Karma
Reply

dlovett
Path Finder
‎06-13-2014 09:53 AM

so i was unable to recreate this on 3 other search heads running the same version of splunk and DB Connect. thus the issue must be something about the config settings on the server in question. In other words, user error...

In comparing the config files between the four search heads, only ONE is setup on the deployment server and its the one that is not working correctly.

The only difference I could see is the deployment server is pushing out an application that has an indexes.conf with THIS index in it. None of the other search heads that are indexing correctly have this indexes.conf file.

I removed the indexes.conf from the app folder on the deployment server and redeployed the application and voila--problem solved!

0 Karma
Reply

pmdba
Builder
‎05-29-2014 04:37 PM

ROWID is unique, but not necessarily incremental - it includes an object number, data block number, position of the row in the block, and the datafile number. Depending on where (which file, block, and row) a new row is added by Oracle, the rowid may be "less" than what Splunk is looking for. This would explain the gaps in your monitoring. To guarantee that data is not missed, you need to use a truly incremental column like a sequence-generated id or a timestamp.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...