Getting Data In

Heavy Forwarder can not preview SQL server data

xlin
Engager

Hello Splunk community,

We had the splunk heavy forwarder set up on one machine, and SQL server database on the other machine. On "Splunk DB Connect" app, when we try the "New Input" on "Data Lab" tab:

1. We are able to select the Connection

2. We are able to select Catalog (Dbname)

3. We are able to select Schema (dbo)

4. We are able to view list of tables and when select "tablename", we see the sql text on "SQL Editor":

SELECT * from "Dbname"."dbo"."tablename"

But the query could not return any data back to the "Preview Data" window. Status of data loading stopped at 20%. When Click the "Execute SQL" button on the page, nothing changes. The status bar stopped same at 20%.  Also, we have no issue to run the same query and get the data back on SSMS on the same machine.

I am very new to splunk, any help and suggestions are much appreciated!

Labels (1)
0 Karma
1 Solution

chli_splunk
Splunk Employee
Splunk Employee

DBX query needs a port(default is 9998) to host the query server. From the error, looks like this port is in use. Please check which process is listening 9998, kill it if possible and try it again. Thanks.

View solution in original post

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

Any error logs from splunkd or dbx_server?

Most likely it's the problems of dbxquery. What's your DBX version? Is this upgraded from DBX 3.2 or previous? What's the charset of your DB?

0 Karma

xlin
Engager

Thank you so much for your quick chli_splunk. Our team have decided to reinstall the system and components, so hopefully the new installation will be ok. For your information, we had Splunk DB Connect version 3.3.1; our DB is sqlserver  2016; default collation is SQL_Latin1_General-CP1_CI_AS.  Also, I see an error message in splunkd might have something to do with the issue we had:

07-27-2020 13:18:15.218 +0000 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\dbxquery.exe"" action=dbxquery_server_start_failed error=java.net.BindException: Address already in use: JVM_Bind stack=java.net.DualStackPlainSocketImpl.bind0(Native Method)\\java.net.DualStackPlainSocketImpl.socketBind(Unknown Source)\\java.net.AbstractPlainSocketImpl.bind(Unknown Source)\\java.net.PlainSocketImpl.bind(Unknown Source)\\java.net.ServerSocket.bind(Unknown Source)\\java.net.ServerSocket.<init>(Unknown Source)\\java.net.ServerSocket.<init>(Unknown Source)\\com.splunk.dbx.command.DbxQueryServer.run(DbxQueryServer.java:100)\\com.splunk.dbx.command.DbxQueryServerStart.startDbxQueryServer(DbxQueryServerStart.java:88)\\com.splunk.dbx.command.DbxQueryServerStart.streamEvents(DbxQueryServerStart.java:47)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.command.DbxQueryServerStart.main(DbxQueryServerStart.java:98)\\

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

DBX query needs a port(default is 9998) to host the query server. From the error, looks like this port is in use. Please check which process is listening 9998, kill it if possible and try it again. Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...