We have splunk dbx 1.2.2 on a splunk 6.1.4 install
Its been working fine but we had an incident where an incorrect DB Input was created which started indexing 10's of GB of data
We disabled all query but his made no difference. The only thing that stopped the index and license storm was to disable the the DBX app.
When I restart the DBX app it appear to then keep indexing the 10's of GB of data - looks like something is caching this feed - either to the DB or the DBX to indexer
Either way it means I have to keep the dbx stopped until I can work out where this index storm is coming from so I can get the DBX started again safely without blowing out our license.
Any assistance greatfully received to understand this issue
As a next step - I made sure DBX was stopped (disabled after a restart) then went in and removed all DB connection info from the conf files in local, also renamed the var/log/splunk/persisteantstorage/dbx entried to try and ensure those werent participating.
On restart - more indexing despite no DB connections setup
I then removed the app using splunk remove app dbx
installed the app clean
and still indexing ... so disabled it again
Is there a cached entry for something like the javabridge server which is sending this data through?