Getting Data In

Heavy Forwarder can not preview SQL server data

Engager

Hello Splunk community,

We had the splunk heavy forwarder set up on one machine, and SQL server database on the other machine. On "Splunk DB Connect" app, when we try the "New Input" on "Data Lab" tab:

1. We are able to select the Connection

2. We are able to select Catalog (Dbname)

3. We are able to select Schema (dbo)

4. We are able to view list of tables and when select "tablename", we see the sql text on "SQL Editor":

SELECT * from "Dbname"."dbo"."tablename"

But the query could not return any data back to the "Preview Data" window. Status of data loading stopped at 20%. When Click the "Execute SQL" button on the page, nothing changes. The status bar stopped same at 20%.  Also, we have no issue to run the same query and get the data back on SSMS on the same machine.

I am very new to splunk, any help and suggestions are much appreciated!

Labels (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

DBX query needs a port(default is 9998) to host the query server. From the error, looks like this port is in use. Please check which process is listening 9998, kill it if possible and try it again. Thanks.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Any error logs from splunkd or dbx_server?

Most likely it's the problems of dbxquery. What's your DBX version? Is this upgraded from DBX 3.2 or previous? What's the charset of your DB?

0 Karma

Engager

Thank you so much for your quick chli_splunk. Our team have decided to reinstall the system and components, so hopefully the new installation will be ok. For your information, we had Splunk DB Connect version 3.3.1; our DB is sqlserver  2016; default collation is SQL_Latin1_General-CP1_CI_AS.  Also, I see an error message in splunkd might have something to do with the issue we had:

07-27-2020 13:18:15.218 +0000 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\dbxquery.exe"" action=dbxquery_server_start_failed error=java.net.BindException: Address already in use: JVM_Bind stack=java.net.DualStackPlainSocketImpl.bind0(Native Method)\\java.net.DualStackPlainSocketImpl.socketBind(Unknown Source)\\java.net.AbstractPlainSocketImpl.bind(Unknown Source)\\java.net.PlainSocketImpl.bind(Unknown Source)\\java.net.ServerSocket.bind(Unknown Source)\\java.net.ServerSocket.<init>(Unknown Source)\\java.net.ServerSocket.<init>(Unknown Source)\\com.splunk.dbx.command.DbxQueryServer.run(DbxQueryServer.java:100)\\com.splunk.dbx.command.DbxQueryServerStart.startDbxQueryServer(DbxQueryServerStart.java:88)\\com.splunk.dbx.command.DbxQueryServerStart.streamEvents(DbxQueryServerStart.java:47)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.command.DbxQueryServerStart.main(DbxQueryServerStart.java:98)\\

0 Karma

Splunk Employee
Splunk Employee

DBX query needs a port(default is 9998) to host the query server. From the error, looks like this port is in use. Please check which process is listening 9998, kill it if possible and try it again. Thanks.

View solution in original post

0 Karma