Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DB Connect: Why is data not being indexed when an index is specified setting up a dbmon-tail?

helius
Path Finder
‎11-26-2014 05:52 AM

Hi all, I'm new to splunk but have been thrown into a project and need to figure things out on my own.

I'm using DBConnect app, dbmon-tail, and am placing the results into an index named content_eng.

When I setup the dbmon-tail, it works when I leave default/blank for the index.

What possibilities could cause it not to work with content_eng? It would seem like a permissions issue, just not sure. I've gone into Access controls » Roles and made sure the dbx user has all capabilities (to test, not perm), but that hasn't helped.

The index content_eng does exist on the indexers directly.

Reply
1 Solution
Solved! Jump to solution
Solution

helius
Path Finder
‎12-01-2014 12:09 PM

I found the solution... Finally...

You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:

[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30

I decided to mimic my primary forwarder's outputs.conf too which made it super easy.

View solution in original post

Reply
Solved! Jump to solution
Solution

helius
Path Finder
‎12-01-2014 12:09 PM

I found the solution... Finally...

You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:

[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30

I decided to mimic my primary forwarder's outputs.conf too which made it super easy.

Reply
Solved! Jump to solution

lguinn2
Legend
‎11-26-2014 03:19 PM

You must create the index content_eng on the indexers in your environment. You don't say how your Splunk is configured, but if you are logged into a search head as the Splunk admin, you will not see the configurations on the indexers. If you are logged into the indexer as the Splunk admin, you should see the content_eng index under Settings > Data > Indexes. If you don't, then something is wrong with the configuration that was set up by the other team member.

You might want to find the stanza for [content_eng] in indexes.conf (there may be multiple copies of this file, so you may have to look in more than one place). If you can't see what's wrong, post the [content_eng] stanza here - and tell us where you found it.

Another thing that could affect this: are you using clustering?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...