Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Splunk DB Connect not indexing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings Splunk Answers,
I am having an issue with the Splunk DB Connect app where database inputs are not indexing.
I'm using dbmon-dump and dbmon-tail to query my DB as data sources. I can see a return of result counts in the dbx.log when the dbmon-dump monitor runs, yet a Splunk search using "source = dbmon-dump://~" does not produce the key-value data from DB table that I am expecting.
There are no issues with the db connection. Running an sql statement in DB query produces the key-value data of my table.
Is anybody experiencing a similar issue with the Splunk DB Connect app? Am I doing this wrong?
Any assistance is appreciated.
Thanks,
ktang
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the DBX app was working all this time... and my searches were wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the DBX app was working all this time... and my searches were wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ktang,
connection to DB is OK, and dbx.log shows row counts, then next you need to check is the intermediate file is actually created and indexed.
I think DBX actually get inputs through the following directry as batch input.
${SPLUNK_HOME}/var/spool/dbmon/*.dbmonevt
and by default, the batch input for the directory is enabled, but if you manually diable it, probable, splunk won't eat DB input even though java bridge actuary read rows from DBMS.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so the directory is configured as batch input with sinkhole option. That means input file is deleted after index is completed. So you may or may not not see anything under that directory, depending on the timing. As long as that directory is configured and you have not touched the config, then you should be OK.
and, good to hear you see DB Connect is working 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for responding.
The batch input is enabled in my local inputs.conf file.
[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt =
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
I've checked:
${SPLUNK_HOME}/var/spool/dbmon/*.dbmonevt
..no *.dbmonevt files are in the dir.
Looks like the problem is here and has to do with why .dbmonevt files are not seen with batch input enabled..?
Since I haven't got database inputs working, I'm not sure what to expect from the batch input.
Do you have this working? What do you have in
$SPLUNK_HOME/var/spool/dbmon?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
