Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: dbmon-dump not indexing my records
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
i am struggling with my db-dump input in loading data from db query to index. I have defined the db input using dbx 1.1.3 app and it executes fine with the defined time. I could see the records being read in the dbx.log file but they don't get indexed. Could anyone guide me with this? why it is behaving like this and where exactly all those records are going? Please let me know if more info is required.
I keep getting this success messages but no indexed records 😞
2014-05-03 12:02:00.049 monsch1:INFO:Scheduler - Execution of input=[dbmon-dump://Test/dump2] finished in duration=48 ms with resultCount=183 success=true continueMonitoring=true
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh Okay, after such a long struggle figured out where the problem was. Even if it's not connected with the actual input the below actually batch processes all the monitored events. Don't know why it was actually missing in the first place. Linux and windows has it's own directory path format. Mine is windows and after making it proper it's now monitoring all the events even the pending ones. Hope it really gives starting point for some people.
[batch://$SPLUNK_HOME\var\spool\dbmon\*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
I am using SQL Server where it recognizes the time fields and assigns them in the events in the index directly. So no need to convert them to varchar or char format. Happy for my Sunday now 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh Okay, after such a long struggle figured out where the problem was. Even if it's not connected with the actual input the below actually batch processes all the monitored events. Don't know why it was actually missing in the first place. Linux and windows has it's own directory path format. Mine is windows and after making it proper it's now monitoring all the events even the pending ones. Hope it really gives starting point for some people.
[batch://$SPLUNK_HOME\var\spool\dbmon\*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
I am using SQL Server where it recognizes the time fields and assigns them in the events in the index directly. So no need to convert them to varchar or char format. Happy for my Sunday now 😄
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
