Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DB Connect: Why is data not being indexed when an index is specified setting up a dbmon-tail?

helius
Path Finder
‎11-26-2014 05:52 AM

Hi all, I'm new to splunk but have been thrown into a project and need to figure things out on my own.

I'm using DBConnect app, dbmon-tail, and am placing the results into an index named content_eng.

When I setup the dbmon-tail, it works when I leave default/blank for the index.

What possibilities could cause it not to work with content_eng? It would seem like a permissions issue, just not sure. I've gone into Access controls » Roles and made sure the dbx user has all capabilities (to test, not perm), but that hasn't helped.

The index content_eng does exist on the indexers directly.

Reply
1 Solution
Solved! Jump to solution
Solution

helius
Path Finder
‎12-01-2014 12:09 PM

I found the solution... Finally...

You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:

[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30

I decided to mimic my primary forwarder's outputs.conf too which made it super easy.

View solution in original post

Reply
Solved! Jump to solution
Solution

helius
Path Finder
‎12-01-2014 12:09 PM

I found the solution... Finally...

You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:

[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30

I decided to mimic my primary forwarder's outputs.conf too which made it super easy.

Reply
Solved! Jump to solution

lguinn2
Legend
‎11-26-2014 03:19 PM

You must create the index content_eng on the indexers in your environment. You don't say how your Splunk is configured, but if you are logged into a search head as the Splunk admin, you will not see the configurations on the indexers. If you are logged into the indexer as the Splunk admin, you should see the content_eng index under Settings > Data > Indexes. If you don't, then something is wrong with the configuration that was set up by the other team member.

You might want to find the stanza for [content_eng] in indexes.conf (there may be multiple copies of this file, so you may have to look in more than one place). If you can't see what's wrong, post the [content_eng] stanza here - and tell us where you found it.

Another thing that could affect this: are you using clustering?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...