Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

dbconnect - data base input (dump) - double events every time it runs

cramasta
Builder
‎04-15-2013 07:52 AM

I have a db input setup to take a dump using a query once a day.

My settings are
-Dump
-I have a custom query
-Key-Value Format
-Include Timestamp

Everytime that the input runs i get duplicates of each event. My query returns results that dont contain a timestamp which is why I configured the input to create one. Each duplicate event will have the same splunk generated timestamp.

If i run the same query with the dbquery command i get the correct number of results

Any ideas why this is happening?

0 Karma
Reply

ziegfried
Influencer
‎04-18-2013 02:47 PM

Have you upgraded from an older version of DB Connect/DBX? If so, which version?

0 Karma
Reply

Dan
Splunk Employee
Splunk Employee
‎04-17-2013 09:57 AM

I believe that is expected behavior for the dump command. The full results of the query will be indexed every time. If you don't have a suitable rising column in the table, you will not be able to get just the new events.

Can you please post your custom query, or better yet, the contents of inputs.conf?

Thanks!

Reply

cramasta
Builder
‎04-17-2013 04:30 PM

Hi Dan.

The thing is I have the dump setup as a cron job that runs once a day. If I clear the index and wait till the next time the job runs I find duplicate events for each row returned from the query. Im letting splunk generate the index time for each event and I am finding that each duplicate event has the same index time. I would expect to see different timestamps if it was from a previous dump. I found with troubleshooting that setting the input to use the table name instead of the query will only index the table data x1. Ill add my inputs.conf and query shortly.

Thanks,
Joe

0 Karma
Reply

cramasta
Builder
‎04-15-2013 11:02 AM

FYI - If i tell it to dump the table instead of a query it doesn't index events x2

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...