Hi @gcusello ,
We are using the following query index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ql | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program
I found that sourcetype does not exist.Can we create the sourcetype with same name i.e wms_oracle_sessions.
If yes,what else do I need to do to get the events?
Add needed definitions to props.conf and also to transformations.conf (if needed). After that those apply to the new events (not to old events unless you reindex those events).
I also moved “search warehouse=ql” to the base search.
Is the machine needed in the 1st stats as you don’t use it later?
Hi @isoutamo ,
We have three servers in our environment.
Can you please suggest on which server I need to add definition in props.conf and how will I come to know that I need to add definition in transformations.conf as well.
What definition I need to add in props.conf and reindex those events how it is done?
where do these logs come from?
if from file, find the correct inputs.conf and insert sourcetype definition.
If you don't know what's the correct inputs.conf, you can use btool:
./splunk cmd btool inputs list -debug > my_inputs.txt
If from DB-Connect, configure sourcetype here.
Hi @gcusello ,
Yeah we are trying to configure DB Connect V1 dashboard.
Actually,java bridge server was not working but now it is working.
But it's dashboard is not working.
Following is the query of EW:Oracle Sessions By Program.
index=main sourcetype=wms_oracle_sessions | bucket span=5m _time | stats count AS sessions by _time,warehouse,machine,program | search warehouse=ew | stats sum(sessions) AS psessions by _time,program | timechart avg(psessions) by program
What could be done to solve this enigma.
at first check if you can use a more recent version of DB-Conect!
then see in DB-Connect input the sourcetype assignment, maybe it's ony a different one!
try to search in index=main if there are the logs from that input, maybe they have a different sourcetype or maybe there ariived but then stopped.
this means that there are two choices:
Check which is the real situation.
here you can find all the documentation about DB-Connect
and here all the steps to configure your DB input:
in few words: if you already have the connection with Oracle DB (driver, identity, etc...), you have only to configure the input inserting:
Anyway, my hint is to follow the documentation and not my very short summary!
Hi @gcusello ,
Rising column: this is the most important parameter: it's a growing identifier that permits to DB Connect to understand where the last extraction stopped, if you have't it, you have to create it using eventually the merge of two columns (e.g. date+id).
Could you please guide how to create Rising column as I couldn't find any relevant documentation.
the rising_column is one of the fields of your query with the feature to be always growing, e.g. a progressive number; in this way DB-Connct, at every run, writes the last value of the rising column and next time starts from it.
If you have a progressive number (prog), you can use it as rising_column, e.g.;
select date, name, prog, account from my_table
if you have a progressive number dayly resetted, you cannot use it as is but you can merge date and progressive number as rising_column (my_prog), e.g. (sorry for my SQL!):
select date, name, prog, account, date&prog AS my_prog from my_table
In other words, you move the problem from Splunk to SQL (and I cannot help you more!).