Hi @gcusello ,
We are using the following query index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ql | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program
I found that sourcetype does not exist.Can we create the sourcetype with same name i.e wms_oracle_sessions.
If yes,what else do I need to do to get the events?
Regards,
Rahul
Add needed definitions to props.conf and also to transformations.conf (if needed). After that those apply to the new events (not to old events unless you reindex those events).
I also moved “search warehouse=ql” to the base search.
Is the machine needed in the 1st stats as you don’t use it later?
r. Ismo
Hi @isoutamo ,
We have three servers in our environment.
Can you please suggest on which server I need to add definition in props.conf and how will I come to know that I need to add definition in transformations.conf as well.
What definition I need to add in props.conf and reindex those events how it is done?
Regards,
Rahul
Hi @rahul2gupta,
to override index definition, you have to put props.conf and transforms.conf on Indexers or (when present) on Heavy Forwarders.
Ciao.
Giuseppe
Hi @gcusello ,
I checked in props.conf but could not understand anything.
what definition I should add in props.conf for sourcetype=wms_oracle_sessions.
Regards,
Rahul
Hi @rahul2gupta,
what do you mean with sourcetype doesn't exist?
sourcetype is usually defined in inputs.conf on the UFs, could you share the inputs.conf to read these logs?
Ciao.
Giuseppe
Hi @gcusello ,
sourcetype wms_oracle_sessions is not defined in inputs.conf,perhaps there is nothing there.
[root@axxxfd01 local]# cat inputs.conf
[root@axxxfd01 local]#
Regards,
Rahul
Hi @rahul2gupta,
where do these logs come from?
if from file, find the correct inputs.conf and insert sourcetype definition.
If you don't know what's the correct inputs.conf, you can use btool:
./splunk cmd btool inputs list -debug > my_inputs.txt
If from DB-Connect, configure sourcetype here.
Ciao.
Giuseppe
Hi @gcusello ,
Yeah we are trying to configure DB Connect V1 dashboard.
Actually,java bridge server was not working but now it is working.
But it's dashboard is not working.
Following is the query of EW:Oracle Sessions By Program.
index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ew | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program
What could be done to solve this enigma.
Help me,Legend.
Regards,
Rahul
Hi @rahul2gupta,
at first check if you can use a more recent version of DB-Conect!
then see in DB-Connect input the sourcetype assignment, maybe it's ony a different one!
try to search in index=main if there are the logs from that input, maybe they have a different sourcetype or maybe there ariived but then stopped.
Ciao.,
Giuseppe
Hi @gcusello ,
I checked at the following location.
Here is the following screenshot .
And could not find sourcetype=wms_oracle_sessions.
Regards,
Rahul
Hi @rahul2gupta,
this means that there are two choices:
Check which is the real situation.
Ciao.
Giuseppe
Hi @gcusello ,
We believe that we do not have a connection to extract logs from Oracle with that sourcetype, so we will create it.
who will help me with the following details,DBA Team?
Regards,
Rahul
Hi @rahul2gupta,
here you can find all the documentation about DB-Connect
https://docs.splunk.com/Documentation/DBX/3.3.1/DeployDBX/AboutSplunkDBConnect
and here all the steps to configure your DB input:
https://docs.splunk.com/Documentation/DBX/3.3.1/DeployDBX/ConfigureDBConnectsettings
in few words: if you already have the connection with Oracle DB (driver, identity, etc...), you have only to configure the input inserting:
Anyway, my hint is to follow the documentation and not my very short summary!
Ciao.
Giuseppe
Hi @gcusello ,
Rising column: this is the most important parameter: it's a growing identifier that permits to DB Connect to understand where the last extraction stopped, if you have't it, you have to create it using eventually the merge of two columns (e.g. date+id).
Could you please guide how to create Rising column as I couldn't find any relevant documentation.
Regards,
Rahul.
Hi @rahul2gupta,
the rising_column is one of the fields of your query with the feature to be always growing, e.g. a progressive number; in this way DB-Connct, at every run, writes the last value of the rising column and next time starts from it.
If you have a progressive number (prog), you can use it as rising_column, e.g.;
select date, name, prog, account
from my_table
if you have a progressive number dayly resetted, you cannot use it as is but you can merge date and progressive number as rising_column (my_prog), e.g. (sorry for my SQL!):
select date, name, prog, account, date&prog AS my_prog
from my_table
In other words, you move the problem from Splunk to SQL (and I cannot help you more!).
Ciao.
Giuseppe