Getting Data In

Heavy Forwarder can not preview SQL server data

xlin
Engager

Hello Splunk community,

We had the splunk heavy forwarder set up on one machine, and SQL server database on the other machine. On "Splunk DB Connect" app, when we try the "New Input" on "Data Lab" tab:

1. We are able to select the Connection

2. We are able to select Catalog (Dbname)

3. We are able to select Schema (dbo)

4. We are able to view list of tables and when select "tablename", we see the sql text on "SQL Editor":

SELECT * from "Dbname"."dbo"."tablename"

But the query could not return any data back to the "Preview Data" window. Status of data loading stopped at 20%. When Click the "Execute SQL" button on the page, nothing changes. The status bar stopped same at 20%.  Also, we have no issue to run the same query and get the data back on SSMS on the same machine.

I am very new to splunk, any help and suggestions are much appreciated!

Labels (1)
0 Karma
1 Solution

chli_splunk
Splunk Employee
Splunk Employee

DBX query needs a port(default is 9998) to host the query server. From the error, looks like this port is in use. Please check which process is listening 9998, kill it if possible and try it again. Thanks.

View solution in original post

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

Any error logs from splunkd or dbx_server?

Most likely it's the problems of dbxquery. What's your DBX version? Is this upgraded from DBX 3.2 or previous? What's the charset of your DB?

0 Karma

xlin
Engager

Thank you so much for your quick chli_splunk. Our team have decided to reinstall the system and components, so hopefully the new installation will be ok. For your information, we had Splunk DB Connect version 3.3.1; our DB is sqlserver  2016; default collation is SQL_Latin1_General-CP1_CI_AS.  Also, I see an error message in splunkd might have something to do with the issue we had:

07-27-2020 13:18:15.218 +0000 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\dbxquery.exe"" action=dbxquery_server_start_failed error=java.net.BindException: Address already in use: JVM_Bind stack=java.net.DualStackPlainSocketImpl.bind0(Native Method)\\java.net.DualStackPlainSocketImpl.socketBind(Unknown Source)\\java.net.AbstractPlainSocketImpl.bind(Unknown Source)\\java.net.PlainSocketImpl.bind(Unknown Source)\\java.net.ServerSocket.bind(Unknown Source)\\java.net.ServerSocket.<init>(Unknown Source)\\java.net.ServerSocket.<init>(Unknown Source)\\com.splunk.dbx.command.DbxQueryServer.run(DbxQueryServer.java:100)\\com.splunk.dbx.command.DbxQueryServerStart.startDbxQueryServer(DbxQueryServerStart.java:88)\\com.splunk.dbx.command.DbxQueryServerStart.streamEvents(DbxQueryServerStart.java:47)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.command.DbxQueryServerStart.main(DbxQueryServerStart.java:98)\\

0 Karma

chli_splunk
Splunk Employee
Splunk Employee

DBX query needs a port(default is 9998) to host the query server. From the error, looks like this port is in use. Please check which process is listening 9998, kill it if possible and try it again. Thanks.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...