Getting Data In

Sourcetype Missing

rahul2gupta
Path Finder

Hi @gcusello ,

We are using the following query index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ql | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program

I found that sourcetype does not exist.Can we create the sourcetype with same name i.e wms_oracle_sessions.

If yes,what else do I need to do to get the events?

Regards,

Rahul

 

 

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Add needed definitions to props.conf and also to transformations.conf (if needed). After that those apply to the new events (not to old events unless you reindex those events).

I also moved “search warehouse=ql” to the base search.

Is the machine needed in the 1st stats as you don’t  use it later?

r. Ismo

0 Karma

rahul2gupta
Path Finder

Hi @isoutamo ,

We have three servers in our environment.

  1. Forwarder -- axxxfd05
  2. Indexer      --axxxxlnd05
  3. Search Head -- axxxhd05

Can you please suggest on which server I need to add definition in props.conf and how  will I come to know that I need to add definition in transformations.conf as well.

What definition I need to add in props.conf  and reindex those events how it is done?

Regards,

Rahul

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

to override index definition, you have to put props.conf and transforms.conf on Indexers or (when present) on Heavy Forwarders.

Ciao.

Giuseppe

0 Karma

rahul2gupta
Path Finder

Hi @gcusello ,

I checked in props.conf but could not understand anything.

what definition I should add in props.conf for sourcetype=wms_oracle_sessions.

Regards,

Rahul

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

what do you mean with sourcetype doesn't exist?

sourcetype is usually defined in inputs.conf on the UFs, could you share the inputs.conf to read these logs?

Ciao.

Giuseppe

0 Karma

rahul2gupta
Path Finder

Hi @gcusello ,

sourcetype wms_oracle_sessions is not defined in inputs.conf,perhaps there is nothing there.

[root@axxxfd01 local]# cat inputs.conf
[root@axxxfd01 local]#

Regards,

Rahul

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

where do these logs come from?

if from file, find the correct inputs.conf and insert sourcetype definition.

If you don't know what's the correct inputs.conf, you can use btool:

./splunk cmd btool inputs list -debug > my_inputs.txt

If from DB-Connect, configure sourcetype here.

Ciao.

Giuseppe

0 Karma

rahul2gupta
Path Finder

Hi @gcusello ,

Yeah we are trying to configure DB Connect V1 dashboard.

Actually,java bridge server was not working but now it is working.

rahul2gupta_0-1594802803373.png

 

But it's dashboard is not working.

dash12.PNG

Following is the query of EW:Oracle Sessions By Program.

index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ew | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program

What could be done to solve this enigma.

Help me,Legend.

Regards,

Rahul

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

at first check if you can use a more recent version of DB-Conect!

then see in DB-Connect input the sourcetype assignment, maybe it's ony a different one!

try to search in index=main if there are the logs from that input, maybe they have a different sourcetype or maybe there ariived but then stopped.

Ciao.,

Giuseppe

0 Karma

rahul2gupta
Path Finder

Hi @gcusello ,

I checked at the following location.

db.PNG

Here is the following screenshot .

db1.PNG

And could not find sourcetype=wms_oracle_sessions.

Regards,

Rahul

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

this means that there are two choices:

  • you haven't a connection to extract logs from Oracle with that sourcetype, so you have to create it,
  • you have the connection, but you're using a wrong sourcetype in your search, so you have to modify your dashboards using the correct sourcetype.

Check which is the real situation.

Ciao.

Giuseppe

0 Karma

rahul2gupta
Path Finder

Hi @gcusello ,

We believe that we do not have a connection to extract logs from Oracle with that sourcetype, so we will create it.

rahul2gupta_0-1594877892900.png

 who will help me with the following details,DBA Team?

 
 
 

src.PNG

 

src1.PNG

Regards,

Rahul

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

here you can find all the documentation about DB-Connect

https://docs.splunk.com/Documentation/DBX/3.3.1/DeployDBX/AboutSplunkDBConnect

and here all the steps to configure your DB input:

https://docs.splunk.com/Documentation/DBX/3.3.1/DeployDBX/ConfigureDBConnectsettings

in few words: if you already have the connection with Oracle DB (driver, identity, etc...), you have only to configure the input inserting:

  • connection name,
  • input type (usually tail),
  • database,
  • table or query to extract data,
  • rising column: this is the most important parameter: it's a growing identifier that permits to DB Connect to understand where the last extraction stopped, if you have't it, you have to create it using eventually the merge of two columns (e.g. date+id),
  • Splunk fields: sourcetype, index and host,
  • output format (usually the default),
  • timestamp column and timestamp format (as all the Splunk inputs),
  • interval (as all the Splunk scripts).

Anyway, my hint is to follow the documentation and not my very short summary!

Ciao.

Giuseppe

0 Karma

rahul2gupta
Path Finder

Hi @gcusello ,

Rising column: this is the most important parameter: it's a growing identifier that permits to DB Connect to understand where the last extraction stopped, if you have't it, you have to create it using eventually the merge of two columns (e.g. date+id).

Could you please guide how to create Rising column as I couldn't find any relevant documentation.

Regards,

Rahul.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

the rising_column is one of the fields of your query with the feature to be always growing, e.g.  a progressive number; in this way DB-Connct, at every run, writes the last value of the rising column and next time starts from it.

If you have a progressive number (prog), you can use it as rising_column, e.g.; 

select date, name, prog, account
from my_table

if you have a progressive number dayly resetted, you cannot use it as is but you can merge date and progressive number as rising_column (my_prog), e.g. (sorry for my SQL!):

select date, name, prog, account, date&prog AS my_prog
from my_table

 In other words, you move the problem from Splunk to SQL (and I cannot help you more!).

Ciao.

Giuseppe

0 Karma