Splunk Cloud Platform

If DBConnect host changes, will it download the complete database?

splunkcol
Builder

I have a Splunk cloud implementation where the client side there is a Heavy Forwarder type server that collects that forwards logs to Splunk Cloud.

In that Heavy Forwarder there is also the DBConnect plugin to get the data from a database.

My question is if for some reason the hostname of the database changes and I put the hostname of the new database and the respective port as it is a new database for Splunk it would download it completely? the configuration was made in "Rising" mode so that it only discards the new logs, but as for the add-on it would be a new database, then it would download the complete database?

If it is a database with logs more than 5 years old, is there any method to bring them into splunk since it will obviously exceed the daily license?

 

splunkcol_0-1680555524894.png

 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @splunkcol,

Splunk DBConnect app uses a checkpoint if the rising mode is configured.  These checkpoints are input parameters, not connections. That is why updating the hostname in connection does not effect checkpoints in inputs. 

If you want to be safe you can follow below path;

- Disable input,

- Note the current checkpoint ,

- Update hostname on connection,

- Check if checkpoint is still the same, correct if needed

- Enable output.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @splunkcol,

The reason there is no result may be that there is no new data after the last query. If there is no new data after the checkpoint value it is normal to see "No results found". You can check by deleting the 2nd and 3rd rows of your SQL and executing. It should show the results. If so everything seems ok.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @splunkcol,

Splunk DBConnect app uses a checkpoint if the rising mode is configured.  These checkpoints are input parameters, not connections. That is why updating the hostname in connection does not effect checkpoints in inputs. 

If you want to be safe you can follow below path;

- Disable input,

- Note the current checkpoint ,

- Update hostname on connection,

- Check if checkpoint is still the same, correct if needed

- Enable output.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

splunkcol
Builder

 

Hi, thanks for your help, I no longer get connection error.

Now I have another problem, when I enter the SQL query and press the "Execute SQL" button it should show a preview of the records but it is not showing anything.

The strange thing is that if it detects the fields "catalog", "schema" and "Table" with this I understand that there are no connection or authentication problems but I do not understand why it fails to display the table data.

Any suggestions on what I should check?

Translated with www.DeepL.com/Translator (free version)

splunkcol_0-1680712559682.png

 

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...