Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dbmon-dump not indexing my records

linu1988
Champion
‎05-02-2014 11:03 PM

Hello All,
i am struggling with my db-dump input in loading data from db query to index. I have defined the db input using dbx 1.1.3 app and it executes fine with the defined time. I could see the records being read in the dbx.log file but they don't get indexed. Could anyone guide me with this? why it is behaving like this and where exactly all those records are going? Please let me know if more info is required.

I keep getting this success messages but no indexed records 😞
2014-05-03 12:02:00.049 monsch1:INFO:Scheduler - Execution of input=[dbmon-dump://Test/dump2] finished in duration=48 ms with resultCount=183 success=true continueMonitoring=true
Thank you in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎05-03-2014 01:50 PM

Oh Okay, after such a long struggle figured out where the problem was. Even if it's not connected with the actual input the below actually batch processes all the monitored events. Don't know why it was actually missing in the first place. Linux and windows has it's own directory path format. Mine is windows and after making it proper it's now monitoring all the events even the pending ones. Hope it really gives starting point for some people.

[batch://$SPLUNK_HOME\var\spool\dbmon\*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

I am using SQL Server where it recognizes the time fields and assigns them in the events in the index directly. So no need to convert them to varchar or char format. Happy for my Sunday now 😄

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎05-03-2014 01:50 PM

Oh Okay, after such a long struggle figured out where the problem was. Even if it's not connected with the actual input the below actually batch processes all the monitored events. Don't know why it was actually missing in the first place. Linux and windows has it's own directory path format. Mine is windows and after making it proper it's now monitoring all the events even the pending ones. Hope it really gives starting point for some people.

[batch://$SPLUNK_HOME\var\spool\dbmon\*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

I am using SQL Server where it recognizes the time fields and assigns them in the events in the index directly. So no need to convert them to varchar or char format. Happy for my Sunday now 😄

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...