- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- DB Connect: Why is data not being indexed when an ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I'm new to splunk but have been thrown into a project and need to figure things out on my own.
I'm using DBConnect app, dbmon-tail, and am placing the results into an index named content_eng.
When I setup the dbmon-tail, it works when I leave default/blank for the index.
What possibilities could cause it not to work with content_eng? It would seem like a permissions issue, just not sure. I've gone into Access controls » Roles and made sure the dbx user has all capabilities (to test, not perm), but that hasn't helped.
The index content_eng does exist on the indexers directly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution... Finally...
You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:
[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30
I decided to mimic my primary forwarder's outputs.conf too which made it super easy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution... Finally...
You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:
[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30
I decided to mimic my primary forwarder's outputs.conf too which made it super easy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You must create the index content_eng on the indexers in your environment. You don't say how your Splunk is configured, but if you are logged into a search head as the Splunk admin, you will not see the configurations on the indexers. If you are logged into the indexer as the Splunk admin, you should see the content_eng index under Settings > Data > Indexes. If you don't, then something is wrong with the configuration that was set up by the other team member.
You might want to find the stanza for [content_eng] in indexes.conf (there may be multiple copies of this file, so you may have to look in more than one place). If you can't see what's wrong, post the [content_eng] stanza here - and tell us where you found it.
Another thing that could affect this: are you using clustering?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
