DB Connect: Why am I getting an error trying to ad...

kenchisho · ‎10-21-2014

Environment:
Windows Server 2008 R2 x64
MS SQL 2008 R2
Splunk 6.1.4 win x64
DBX 1.1.4

When trying to add a tail input from a database using a SQL Query statement I get an error...

Encountered the following error while trying to save: In handler 'dbx-monitors': Unable to xml-parse the following data: Failed to validate: com.splunk.config.SplunkConfigurationException: Error validating dbmonTail for monitor=dbmon-tail://SrvDb/... See splunkd.log for full data.

The SQL Query work like a charm when running it manually with the dbquery command.

SELECT RecordLog.RecordID , CallLog.StartTime, CallLog.StopTime, RecordLog.UserName AS Name, CallLog.UserID, CallLog.Team, RecordLog.FileName, CallLog.StopTime-CallLog.StartTime AS Duration FROM CallLog INNER JOIN RecordLog ON CallLog.ServerID = RecordLog.ServerID AND CallLog.GlobalID = RecordLog.GlobalID AND CallLog.UserID = RecordLog.UserID {{WHERE $rising_column$ > ?}}

The rising column is set to RecordLog.RecordID.

I am out of ideas and any help is welcome.

Kenan

musskopf · ‎10-21-2014

I believe that's because the Rising Column cannot be written as tableName.columnName, it needs to be only columnName. If you have the same column name in multiple tables because of a JOIN, just add something like:

SELECT RecordLog.RecordID AS RecordIDforTail (...continue you query)

and use the RecordIDforTail as you Rising Column

Also if it doesn't help, could copy here the output from splunkd.log and dbx.log just after you get the erro? Both are in $SPLUNK_HOME/var/log/splunk

Cheers.

DB Connect: Why am I getting an error trying to add a tail input from a database using a SQL query statement?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?