Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

why db_connect can't output result to MySQL database

xsstest
Communicator
‎03-13-2018 04:57 AM

I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data

search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system

1、save as an alert , add DBX output alert action trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap" at the end of search

When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL

why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,

-1m@m @m */1 * * * *

but still so

Tags (1)
Reply

xsstest
Communicator
‎03-22-2018 08:26 AM

The question still not resolved, and no one knows why?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 05:13 AM

Hi,

I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.

Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:57 AM

hi, @p_gurav

not support running scheduled task.

When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 06:02 AM

Ok. can you share database output you created?

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:47 PM

@p_gurav

[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0

This is what I entered manually,Because I can't copy information from the intranet

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...