Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to configure Sybase audit logs with DB Connect 3 on Splunk 6.6

gadepoonam
Explorer
‎07-10-2017 02:03 AM

I am trying to configure Sybase sysaudits_01 table with DB connect in SPlunk. sysaudits_01 table has eventtime column which is having datetime data type. I am trying to configure datetime as rising column for Splunk DB connect: Data input.
On query editior with check point value, query executes fine. But when i try to save the configuration, it does not save the config.
It give following error in db connect splunk server log file.
Can you please suggest?

2017-07-10 09:00:33.547 +0000 [QuartzScheduler_Worker-25] INFO c.s.d.s.dbinput.recordreader.DbInputRecordReader - action=db_input_record_reader_is_opened input_task="sybase_audit" query=SELECT * FROM "sybsecurity"."dbo"."sysaudits_01" where CONVERT(CHAR(19), eventtime, 23) > CONVERT(CHAR(19), ?, 23) order by CONVERT(CHAR(19), eventtime, 23)
2017-07-10 09:00:33.551 +0000 [QuartzScheduler_Worker-25] INFO c.s.d.server.dbinput.task.DbInputCheckpointManager - action=loading_checkpoint value=null
2017-07-10 09:00:33.552 +0000 [QuartzScheduler_Worker-25] ERROR org.easybatch.core.job.BatchJob - Unable to open record reader
java.lang.NullPointerException: null
at com.fasterxml.jackson.core.JsonFactory.createParser(JsonFactory.java:879)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2833)
at com.splunk.dbx.server.dbinput.task.DbInputCheckpointManager.parseOutput(DbInputCheckpointManager.java:184)
at com.splunk.dbx.server.dbinput.task.DbInputCheckpointManager.loadImpl(DbInputCheckpointManager.java:247)
at com.splunk.dbx.server.dbinput.task.DbInputCheckpointManager.load(DbInputCheckpointManager.java:132)
at com.splunk.dbx.server.dbinput.task.DbInputTask.loadCheckpoint(DbInputTask.java:88)
at com.splunk.dbx.server.dbinput.recordreader.DbInputRecordReader.open(DbInputRecordReader.java:57)
at org.easybatch.core.job.BatchJob.openReader(BatchJob.java:117)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:74)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2017-07-10 09:00:33.552 +0000 [QuartzScheduler_Worker-25] INFO org.easybatch.core.job.BatchJob - Job 'sybase_audit' finished with status: FAILED
2017-07-10 09:01:33.548 +0000 [QuartzScheduler_Worker-26] INFO org.easybatch.core.job.BatchJob - Job 'sybase_audit' starting
2017-07-10 09:01:33.549 +0000 [QuartzScheduler_Worker-26] INFO org.easybatch.core.job.BatchJob - Batch size: 1,000
2017-07-10 09:01:33.549 +0000 [QuartzScheduler_Worker-26] INFO org.easybatch.core.job.BatchJob - Error threshold: N/A
2017-07-10 09:01:33.549 +0000 [QuartzScheduler_Worker-26] INFO org.easybatch.core.job.BatchJob - Jmx monitoring: false
2017-07-10 09:01:33.549 +0000 [QuartzScheduler_Worker-26] INFO c.s.d.s.dbinput.recordreader.DbInputRecordReader - action=db_input_record_reader_is_opened input_task="sybase_audit" query=SELECT * FROM "sybsecurity"."dbo"."sysaudits_01" where CONVERT(CHAR(19), eventtime, 23) > CONVERT(CHAR(19), ?, 23) order by CONVERT(CHAR(19), eventtime, 23)
2017-07-10 09:01:33.556 +0000 [QuartzScheduler_Worker-26] INFO c.s.d.server.dbinput.task.DbInputCheckpointManager - action=loading_checkpoint value=null
2017-07-10 09:01:33.557 +0000 [QuartzScheduler_Worker-26] ERROR org.easybatch.core.job.BatchJob - Unable to open record reader
java.lang.NullPointerException: null
at com.fasterxml.jackson.core.JsonFactory.createParser(JsonFactory.java:879)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2833)
at com.splunk.dbx.server.dbinput.task.DbInputCheckpointManager.parseOutput(DbInputCheckpointManager.java:184)
at com.splunk.dbx.server.dbinput.task.DbInputCheckpointManager.loadImpl(DbInputCheckpointManager.java:247)
at com.splunk.dbx.server.dbinput.task.DbInputCheckpointManager.load(DbInputCheckpointManager.java:132)
at com.splunk.dbx.server.dbinput.task.DbInputTask.loadCheckpoint(DbInputTask.java:88)
at com.splunk.dbx.server.dbinput.recordreader.DbInputRecordReader.open(DbInputRecordReader.java:57)
at org.easybatch.core.job.BatchJob.openReader(BatchJob.java:117)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:74)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gadepoonam
Explorer
‎08-04-2017 02:59 AM

Fixed the error bu configuring DB input with following query for rising column

Select * from (
SELECT *, (cast(
cast(datepart(year, eventtime) as varchar) +
right('0' + cast (datepart(month, eventtime) as varchar),2) +
right('0' + cast (datepart(day,eventtime) as varchar),2) +

right('0' + cast (datepart(hour,eventtime) as varchar),2) +
right('0' + cast (datepart(minute,eventtime) as varchar),2) +
right('0' + cast (datepart(second,eventtime) as varchar),2) +
right('0' + cast (datepart(millisecond,eventtime) as varchar),3)
as numeric(18,0))) as id
FROM "sybsecurity"."dbo"."sysaudits_01" ) dt
where dt.id > ?
order by dt.id

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gadepoonam
Explorer
‎08-04-2017 02:59 AM

Fixed the error bu configuring DB input with following query for rising column

Select * from (
SELECT *, (cast(
cast(datepart(year, eventtime) as varchar) +
right('0' + cast (datepart(month, eventtime) as varchar),2) +
right('0' + cast (datepart(day,eventtime) as varchar),2) +

right('0' + cast (datepart(hour,eventtime) as varchar),2) +
right('0' + cast (datepart(minute,eventtime) as varchar),2) +
right('0' + cast (datepart(second,eventtime) as varchar),2) +
right('0' + cast (datepart(millisecond,eventtime) as varchar),3)
as numeric(18,0))) as id
FROM "sybsecurity"."dbo"."sysaudits_01" ) dt
where dt.id > ?
order by dt.id

0 Karma
Reply
Solved! Jump to solution
Solution

gadepoonam
Explorer
‎08-04-2017 02:59 AM

Fixed the error bu configuring DB input with following query for rising column

Select * from (
SELECT *, (cast(
cast(datepart(year, eventtime) as varchar) +
right('0' + cast (datepart(month, eventtime) as varchar),2) +
right('0' + cast (datepart(day,eventtime) as varchar),2) +

right('0' + cast (datepart(hour,eventtime) as varchar),2) +
right('0' + cast (datepart(minute,eventtime) as varchar),2) +
right('0' + cast (datepart(second,eventtime) as varchar),2) +
right('0' + cast (datepart(millisecond,eventtime) as varchar),3)
as numeric(18,0))) as id
FROM "sybsecurity"."dbo"."sysaudits_01" ) dt
where dt.id > ?
order by dt.id

0 Karma
Reply
Solved! Jump to solution

gadepoonam
Explorer
‎07-18-2017 12:07 AM

Did anyone get a chance to look into it please?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...